Holland Bans AMD's 'Virus Protection' Campaign

Hack Jandy writes "For those of you who didn't see this coming, AMD's Advanced Virus Protection campaign has been banned in Holland since the technology does (almost) nothing to stop viruses! If you recall, AMD's NX bit attempts to stop the processor from executing pages on the stack that have been written to. Does NX even solve more problems than it causes?"

How do you explain it to Joe Sixpack?

[LostCluster]

What the "NX bit" actually does is a pretty nice thing for preventing buffer overflows... if a segment of memory is marked for data use and then the code execution point somehow arrives there, you get a crash-out instead of the execution of arbitrary code.

Of course, AMD's problem is finding a way to try to communicate that concept to the average user. Joe Sixpack doesn't even know what buffer overflow problem is, so they don't understand why they need a solution to that problem. AMD is trying to use the concept of "virus prevention" instead, but apparently they've gone too far in implying that the NX bit eliminates the need for conventional anti-virus methods, which it most certainly does not.

This is an extra set of suspenders, not a new belt.

Re:How do you explain it to Joe Sixpack?

[karniv0re]

This is akin to OpenBSD's W^X, which specifies that memory can be either Writable or eXecutable but never both. Wikipedia has a good stub on it, as well as a nice article on the NX bit.

Re:How do you explain it to Joe Sixpack?

[blair1q]

Memory management systems have been available for decades that prevent execution from data space or writing to code space.

What has AMD actually done that's new and valuable?

Re:How do you explain it to Joe Sixpack?

[kngthdn]

How do you explain it to Joe Sixpack?

There's a pretty good explanation over at Wikipedia, too.

Re:How do you explain it to Joe Sixpack?

[jrockway]

NX doesn't fix anything.

If I'm overflowing a stack buffer, I'll just write the address of system() over EIP and the address of a string I control after that. Then when the function returns, it will execute system("/whatever/program/i/want").

Maybe not quite as convenient as shellcode for crackers, but virus writers will adapt and NX will mean nothing.

Re:How do you explain it to Joe Sixpack?

[lintux]

Let's just say it's impossible to market something like this. In their ad they said something like "AMD processors are the only processors which actively stop/prevent viruses". Surely that's not something a CPU can do at all anyway.

And since this is only a minor improvement (if an improvement at all) in the Athlon64 I wonder why they didn't think of something else to use to promote the CPU... Surely saying that the thing is 64-bit must impress some Joe Sixpacks.

Re:How do you explain it to Joe Sixpack?

What the "NX bit" actually does is a pretty nice thing for preventing buffer overflows.

I have to call you on this one. It's only a "pretty nice thing" in theory, since the option has to be enabled during the compilation of the binary. In Windows (even XPsp2), this is only enabled for certain MS-created services that listen on ports. It has to run in PAE mode. Not every application is protected. Significantly, the user-space apps are not protected. You have to specify /PAE option, despite what MS says.

So, moderators. How does the original post deserve such a high ranking? It's factually incorrect on a few points, and just makes general statements about "safety is good". The trend appears to be that early posters get points, and everyone else carps and trolls. What a shit hole slashdot has become. (I can recall when a 90-post story was big news, and most of the posts were useful... but don't get me started.)

Re:How do you explain it to Joe Sixpack?

you dont because joe sixpack doesnt give a fuck.

joe sixpack is not the target of anything tech related.
that is the store's job

joe is a sheep, you tell him what to do. he does it

Re:How do you explain it to Joe Sixpack?

[0racle]

"What does 64bit mean? Obviously 32 is working for me, why do I need this. Now virus protection, that I need."

Thats why. They don't have to explain what being a 64bit processor means and why they need it, because most people don't, but everyone need virus protection and for the most part they already know that.

I have yet to see a good reason why I should get an A64, beyond the 'dude holy shit its faster then last months model.'

Re:How do you explain it to Joe Sixpack?

Well... This is Joe and he has a Sixpack (beer that is, Joe doesn't workout that much). Now Joe has been quietly drinking his Sixpack and no matter how many beers Joe has he doesn't suffer any "buffer" overflows. This means that Joe with is special "NX bit" in place will not spew, piss, or shit his pants as long as he remembers to take his "NX bit". There still is the problem of Joe losing conscience and "crashing", but his dignity will be still intact.

Re:How do you explain it to Joe Sixpack?

[gutterandthestars]

Has W^X been implemented in any other BSD, like MacOS X? How about any other operating systems?

Re:How do you explain it to Joe Sixpack?

One reason is because it finally gives developers some actual registers to work with, but if you really wanted that you'd go PPC anyway...

Re:How do you explain it to Joe Sixpack?

Idiot. An end user won't buy a particular processor just to make a developer's job easier.

Re:How do you explain it to Joe Sixpack?

This is akin to OpenBSD's W^X, which specifies that memory can be either Writable or eXecutable but never both.

Never? How does one implement a JIT-compiling bytecode engine on such a system?

Re:How do you explain it to Joe Sixpack?

[devilspgd]

Added support to the x86 platform.

Re:How do you explain it to Joe Sixpack?

[secretsquirel]

joe is a sheep, you tell him what to do. he does it

Excatly. You explain to joe sixpack that he (scare him into thinking that he) needs this or he will get hacked and have his identity stollen or something, and that NX turbo supersheild max-blaster technology is the only way that he can stop it and then joe says "oh shit!" and goes and buys them for his whole family.

It's called advertising, and IT WORKS!

Re:How do you explain it to Joe Sixpack?

First off all buffer overflow problem wxist only in software that has a bug. The thruth is that there probably isn't any large program out there that doesn't suffer from this. When you have a huge chunk of code you tend to over look things plus the software gets extremely hard to maintain from a security stand point, hens buffer overflows appear. What AMD supposedly invented is the same thing that VMS machines have had for ages now (or should I say used to when VMS was still kicking). As some people have already pointed out there are several software implementations of the *NX* feaure with OpenBSD being the most notable one. So in essence *NX* is not that inovative and most deffinitelly not that nessecary. With the current processing power of any CPU I hardly doubt it that you will even notice a difference if Windows were to finally decise to include a software solution rather than using the hadware one provided by AMD.
The reason why *NX* does not work at all in the virus prevention is because there is not a single new virus out there that uses a buffer overflow. Buffer overflows are fixed very fast once they are discovered and the only people that use them to compromise systems are crackers. However, with the swiss cheese that windows is you harly need a buffer overflow exploit to compromise the system ... SO yeah it was a good thing that AMD included the feature but they should have probably asked themselves why noone else did when it is so easy ... Kind of like nvidia and their soundstorm solution ... technology is great but only when it's actually needed.

Re:How do you explain it to Joe Sixpack?

[tepples]

Apparently, code loaders such as DLL loaders and JITs have to explicitly go through a syscall to copy from writable memory to executable memory.

Re:How do you explain it to Joe Sixpack?

I can recall when a 90-post story was big news, and most of the posts were useful.

yet you still didn't bother setting up an account you lazy AC!!! :)

Re:How do you explain it to Joe Sixpack?

Okay. Does this carry computational costs? I.e. is it a true copy or does it just do some trickery with VM pages? If the former, does the cost of stopping everything, blowing out the cache, etc to duplicate the written executable code become significant?

Re:How do you explain it to Joe Sixpack?

[glassjaw+rocks]

I've not even heard Joe Sixpack say "Excatly".

Re:How do you explain it to Joe Sixpack?

[gl4ss]

what they did was that they made a fake promise that it would(or could) solve your virust problems instantly and for good, with no extra effort.

like magic that is.

of course, it's NOT TRUE, so the adverts got banned.

a car company can't claim that their car is deathproof(when it isnt)..

Re:How do you explain it to Joe Sixpack?

joe is a sheep, you tell him what to do. he does it

Actually, I prefer lemming. Showing is much more effective and I think it's also good analogy of where the human race is currently headed.

I mean, why think for yourself when you can just run with the crowd? Sure, go ahead and believe them, they must know what they're talking about, I don't need to research it for myself. I can just parrot it and other lemmings just like myself will join the cause, even if we don't know what that cause is. It's just more fun to be part of something big.

Re:How do you explain it to Joe Sixpack?

yeah... nostalgia just ain't what it used to be.

Re:How do you explain it to Joe Sixpack?

Excatly

-Joe Sixpack

Re:How do you explain it to Joe Sixpack?

[rale,+the]

I have to call you on this one. It's only a "pretty nice thing" in theory, since the option has to be enabled during the compilation of the binary.

Sorry, but this isn't true - NX protection has nothing to do with compiling binaries. It is runtime protection.

In Windows (even XPsp2), this is only enabled for certain MS-created services that listen on ports. It has to run in PAE mode. Not every application is protected. Significantly, the user-space apps are not protected. You have to specify /PAE option, despite what MS says [microsoft.com].

This is unfortunate but true, the default for processors that support it really should have been to turn it on for all apps. As it is, you have to go into Control Panel->System->Advanced->Performance->Data Exec Protection and enable it for all apps yourself. It does work quite exactly how it should when you do, tho - warning you and shutting down apps that attempt to execute data as code.

So, moderators. How does the original post deserve such a high ranking? It's factually incorrect on a few points, and just makes general statements about "safety is good". The trend appears to be that early posters get points, and everyone else carps and trolls. What a shit hole slashdot has become. (I can recall when a 90-post story was big news, and most of the posts were useful... but don't get me started.)

So, moderators, how does an AC who posts factually incorrect statements also get a +4 Insightful? Is it just because he said "So, moderators"?

Re:How do you explain it to Joe Sixpack?

Hey dumbass moderator. Why don't you mod something up rather than mod something like the above down? It was already at zero.

Wait, I take that back. Better you cause no harm than mod up something undeserving. Thanks for taking the poster's comments to heart.

Re:How do you explain it to Joe Sixpack?

Yes. Windows XP SP2 has it but calls it "DEP" (Data Execution Prevention). It took this directly from OpenBSD in thier "Secure by Default" campaign.

Re:How do you explain it to Joe Sixpack?

But they might buy it if it makes it faster...

...which is a side effect of more registers (in a register-limited arch like the x86 at least).

*Moron detectors: We'd implement them on slashdot, but the reading just wouldn't be as much fun.--The Management

Re:How do you explain it to Joe Sixpack?

Sorry, but this isn't true - NX protection has nothing to do with compiling binaries. It is runtime protection.

You moron. It has everything to do with compilation. You have to ENABLE it for it to work. Duh.

Re:How do you explain it to Joe Sixpack?

[Plammox]

How many technological/marketing disasters will AMD be allowed to make, before the slashdot crowd stops defending their every move?

They're about to move up and away from the underdog market position and with that comes arrogance.

Re:How do you explain it to Joe Sixpack?

This attack is commonly referred to as "return-into-libc"(in case people want something to plug into google to find more information).

Re:How do you explain it to Joe Sixpack?

Several troll websites already maintain searchable libraries of highly moderated past posts organised by keyword. Just use that.

Re:How do you explain it to Joe Sixpack?

I think the first AC was correct. It turns out you do have to compile in options for the no-exec option to work. This is being discussed here, and other places.

The GUI options the second AC pointed out are just for the MS-compiled code that already has the support builtin.

Re:How do you explain it to Joe Sixpack?

> This is akin to OpenBSD's W^X,

Akin to ? W^X is the usage of this hardware feature. On platforms without a proper executable bit in the MMU, W^X becomes either difficult or impossible to implement.

> which specifies that memory can be either Writable or eXecutable but never both.

"never" is wrong here. You can explicitly request that memory is writable and executable using mprotect()

Re:How do you explain it to Joe Sixpack?

[NigelJohnstone]

"If I'm overflowing a stack buffer, I'll just write the address of system() over EIP"

A software stack check will already catch that. (a random number stuck under the stack frame, checked before returning. You could overflow the buffer, but you can't know what random number to write because it changes each time -> failed exploit.)

IBM did some work to put a similar feature into GCC:

http://www.research.ibm.com/trl/projects/securit y/ ssp/

Re:How do you explain it to Joe Sixpack?

[erinacht]

Someone is reputed to have said "Nobody would ever need more than 640K of memory" ! With advancing technology everything always gets better by a factor of 2. 8,16,32,64 each time with substantial performance improvement. If you are in the market for a new computer IMO it's crazy NOT to get a 64bit processor. If you're happy with old hardware of course, no-one is telling you to change...
disclaimer: Santa brought me a lovely AMD63 3500+ to plug into my Asus A8N-SLI motherboard - yum!

Re:How do you explain it to Joe Sixpack?

[BarryNorton]

I think the first AC was correct. It turns out you do have to compile in options for the no-exec option to work. This is being discussed [useless link]

I'm not qualified to say whether it's true or not that on this platform, processes with dynamically-checked non-executable memory pages need to be compiled for that purpose (doesn't sound, from an OS theory pov, necessary - sounds more like you're looking for static checks with such an option), but what I can say is that the link you provided does not discuss this... try again!

Re:How do you explain it to Joe Sixpack?

[deaddrunk]

Hard to be arrogant when you've got competitors nipping at your heels. The x86 market has 2 major players and a few minor ones. AMD become complacent, any of those could kick their ass, as has happened to Intel.

Re:How do you explain it to Joe Sixpack?

[iamacat]

You can just map the same physical memory to two different addresses - one place for writting and another for executing. This way there is no overhead involved, although it weakens the protection to some degree.

Re:How do you explain it to Joe Sixpack?

So, moderators. How does the original post deserve such a high ranking? It's factually incorrect...

I don't know if it's really 5-worthy, but perhaps one of the reasons people mark it up, is because you're wrong and the post is actually factually true.

I don't know if you're right about that Windows problem, because frankly, I don't give a flying fuck about Windows, nor does anyone else who cares much about security. Windows is as irrelevant as it has always been. Run a modern OS, or even something as stodgy and boring as OpenBSD, and the feature will get used.

real question is why your MS-centric post, which ignores every other OS on the planet, got modded up. You brought in one unverified "fact" about an irrelevant OS, and generalized it to try to make it look like AMD's hardware feature isn't useful. And that's just plain misleading and inaccurate.

Re:How do you explain it to Joe Sixpack?

[iamacat]

The truth is that there probably isn't any large program out there that doesn't suffer from this.

Umm.. Java programs don't get buffer overflows. C++ programs that use bound-checked containers and no pointer arithmetics are reasonably safe. Perl and Python are all right. So are we only talking about old-style C code then?

Re:How do you explain it to Joe Sixpack?

In their ad they said something like "AMD processors are the only processors which actively stop/prevent viruses".

But since as far as I can tell the AMD NX thing was not the first implementation of an hardware execution-guard technology and the new Xeons support the exact same NX bit that AMD developed, then even this claim wouldn't be true would it?

Re:How do you explain it to Joe Sixpack?

Santa brought me a lovely AMD63 3500+ to plug into my Asus A8N-SLI motherboard - yum!

I think you lost a bit along the way.

Re:How do you explain it to Joe Sixpack?

[rale,+the]

Uhm, the thread you linked to doesn't mention anything about requiring compiler options. It says it doesn't work on apps besides MS's built-in stuff, "until it is enabled system wide". In my post, I actually gave the exact GUI location to go to and enable it system-wide. Turning on an option in windows is not the same as compiling an application...

Re:How do you explain it to Joe Sixpack?

[Dogtanian]

Someone is reputed to have said "Nobody would ever need more than 640K of memory"!

Nope; Gates never said that. If you wish to disagree, please cite the original source.

Re:How do you explain it to Joe Sixpack?

[arkanes]

Actually, 64bit markets itself, because it's twice as much as 32 bit. You don't need to explain it. And if you do care about performance, there are some reasons to get an AMD64, because it's architecturally better than the 32 bit offerings. It's not just an Athlon that can address more memory. Obviously, if you aren't interested in upgrading your computer for more performance then you aren't in the market for a new processor of any kind, and your opinions aren't really important when it comes to them.

Re:How do you explain it to Joe Sixpack?

No, WRONG again; what do you make EIP point to?
in code you have not already compromised, bearing
in mind that if you get the EIP wrong you will buy
a SIGSEV anyway

The way you do it is to put code on the stack eg.
an exec, and make the EIP point at that,

The point is that there is NO ABSOLUTE security but
this makes exploits (attacked) application version
specific and so vastly reduces generic exploits.

It is a very good thing, and if supported by Windoze
would block lots of exploits

This is not an excuse to write buffer over-running code but every little helps!

Re:How do you explain it to Joe Sixpack?

[CaptainZapp]

Of course, AMD's problem is finding a way to try to communicate that concept to the average user.

AMD does certainly not have to explain such concepts to Joe Sixpack. Joe anyway doesn't have the foggiest clue what AMD is about. His only potential encounter with AMD is when he buys a computer and then he probably couldn't care less.

Who AMD must convince as their primary target is OEMs and most of them (hopefully) know their shit and can be bothered with technical whitepapers.

Now if AMD wants to launch an image - or brand campagn (ala Intel Inside) that's a completely different issue. But then again I don't think that you have to explain the NX bit implementation to the general public in order to pull this off.

Re:How do you explain it to Joe Sixpack?

Why don't you cite the source where he didn't say it, hey?

Clearly the gp is aware that Gates never said it, since he used the phrase "Someone is reputed..."

Re:How do you explain it to Joe Sixpack?

[xouumalperxe]

No, but he will buy that product when the fact it makes the developer's job easier starts to mean the developer's product works better on it

Re:How do you explain it to Joe Sixpack?

[Lamieur]

I hardly doubt it that you will even notice a difference if Windows were to finally decise to include a software solution rather than using the hadware one provided by AMD

First thing, Windows XP SP2 DOES include a software solution which is enabled if you tell the system to protect programs and your processor doesn't have the bit in question.

Second thing, well, the protection is DISABLED by default for all programs except for a few network daemons (even on the newest AMD and Intel processors with non-executable page bit), so it's true you won't notice a difference - but enable it on your non-NX-processor and see for yourself (I haven't as I don't have Windows ;)) - it should be slower, where NX-based protection would be as fast as no protection. As a Linux power-user I know Linux+grsecurity/Linux+openwall/GCC+IBM/any-other protection is slower than plain unpatched Linux/glibc/gcc on x86 without the NX wonder-bit. For some programs it's slower to a point where I can actually "see" it without measuring, that's just the way any software protection works. It can introduce little impact on performance, but there will be some impact anyhow.

Moderators, you call parent Insightful? :)

Re:How do you explain it to Joe Sixpack?

[gmack]

W^X requires hardware that can actually enforce that policy. Until AMD implemented NX this simply could not be done on X86 and you had to use some other platform if you wanted real security.

Re:How do you explain it to Joe Sixpack?

[ArbitraryConstant]

It's not "akin". OpenBSD's W^X is policy. AMD's NX bit is a processor feature that makes policy like that easier to implement. Microsoft's policy is different (and not as strong, only the stack is protected), but uses the same processor features.

Re:How do you explain it to Joe Sixpack?

[ArbitraryConstant]

I am unfamiliar with the Windows implementation details, but on UNIX the mprotect(2) system call is used, which allows a userspace program to modify the permissions on a given page.

Apparently it doesn't break much on UNIX because many platforms are quite lax about caching policies on executable code. If the OS doesn't flush the cache, code may break, and mprotect is used to take an opportunity to flush the cache.

Or something like that. I forget the details of what Theo said in the talk.

Re:How do you explain it to Joe Sixpack?

[Mr+Z]

The instruction and data sides have separate TLBs, so you can distinguish "readable" pages from "executable" pages by loading instruction and data TLBs separately. PaX does this.

--Joe

Re:How do you explain it to Joe Sixpack?

[bloo9298]

I'm not sure whether you intended to suggest that OpenBSD led the way on marked pages, but even if you did not someone else might read it that way. This kind of feature is much older. One of the comp.risks posts sums it up:

Buffer overflows and Multics?

Tom Van Vleck

Mon, 23 Feb 2004 16:23:45 -0500

To make a big deal out of providing the 40-year-old feature of marking a region of memory non executable is kind of sad. Multicians look at each other and make the rubbing-sticks-together gesture.

It seems to me that the marketing guys and the popular press writers don't understand the feature, the need for the feature, or what the feature will and won't accomplish.

It's not magic. It fixes some common problems, leaving other problems untouched. It's not a substitute for defensive coding and proper management of storage; all it means is that if there is a mistake, it is more work for an attacker to exploit it.

As Paul Karger points out, when attackers are frustrated by one measure, they don't abandon their attacks. They keep looking for other holes. A fix like this, applied by itself, will lead to a new equilibrium between attackers and defenders, maybe favoring one or the other, but the game will remain the same.

Closing one open barn door is good, but it needs to be complemented by a systematic approach to enumeration of openings, and a method of closing the openings by architectural design that applies to all openings. So I was taught by my leaders on the Multics project, including Corby, Bob Morris, Jerry Saltzer, Ted Glaser, PGN, and many more.

Re:How do you explain it to Joe Sixpack?

No, WRONG again; what do you make EIP point to?
in code you have not already compromised, bearing
in mind that if you get the EIP wrong you will buy
a SIGSEV anyway

This is the same for jumping into the buffer or jumping into a library. The difference is that libraries will be in the same place more often for efficiency.

The way you do it is to put code on the stack eg.
an exec, and make the EIP point at that,

And where is that? There's a reason most such exploits start their code with a long string of NOPs, it makes it easier to guess the right address. Finding the address of MSVCRT's system or the Win32 equivalent is much easier. They could be moved around, but you'd pay with lots of extra CPU cycles and memory.

This is not an excuse to write buffer over-running code but every little helps!

Actually, if the system has full protection there's little insentive not to, since you have to pay the performance cost anyway. Sure, your program is still vulnerable to a DoS, but that's a vastly less critical problem.

Personally, I'd be ashamed to write such code, but I'm not the only programmer in the world.

Re:How do you explain it to Joe Sixpack?

How do you explain the mailto: link with an address that looks like it wants to be Bill Gates'?

Re:How do you explain it to Joe Sixpack?

Move the userland entry point to system et al to an address that has a 0 byte in the middle of it. (not the high byte on LE machines, or the low on BE)

NX stack + ASCII armor works, although you have to make sure you get EVERY function that could be so abused... including those in 3rd party code. :(

Re:How do you explain it to Joe Sixpack?

[thegrommit]

I have yet to see a good reason why I should get an A64, beyond the 'dude holy shit its faster then last months model.'

In that case, I presume you would never upgrade as your current box is fast enough.

Re:How do you explain it to Joe Sixpack?

[hitmark]

what they could say is that it more or less eliminates the need for a firewall if you have the services locked down. think about it, 99%+ of the server exploits are buffer errors. take out that and you have a much more secure system. the concept of worms that use server errors will go allmost away, leaveing those pesky mail/social-engineering worms . conventional viruses it may not stop tho unless your able to tag binary files on the disk as non-modifyable.

Re:How do you explain it to Joe Sixpack?

This is akin to OpenBSD's W^X... which they stole, but OpenBSD fanbois can't help but harp on about.

Re:How do you explain it to Joe Sixpack?

Easy monkeybot script - post google cache, or coral cache mirror, etc.. Or repost the article with the headline "Article text because of slashdotting"

I've been modded up reposting msn articles claiming they were slashdotted. We couldn't even come close to slashdotting. The only sites that get slashdotted are small-time apache boxes.

Re:How do you explain it to Joe Sixpack?

[snorklewacker]

Here's a source where there is no mention of gates making the 640K quote:

http://www.rcn.com/internet/networking/index.php

Here's another

http://www.craigslist.org/pen/acc/53773545.html

And another:

http://slashdot.org/article.pl?sid=04/12/29/1733 22 9&tid=137&tid=1

I bet if I really try, I can come up with a few more URLs that don't show Bill Gates making that quote. Also, there's no mention of George Bush saying that there were no WMD's in Iraq either. Isn't that amazing?

Re:How do you explain it to Joe Sixpack?

[andreyw]

So this takes care of... what... one silly way to control the instruction pointer? NX won't help against a return-to-libc or formatted-string exploit.

Re:How do you explain it to Joe Sixpack?

[andreyw]

Ahh, but as long as you have a pointer to be manipulated, you can use it to overwrite the return address without touching the canary. Of course, nowadays funny things like StackGuard XOR the canary with the return address preventing such attacks while StackShield mirrors return address information, preventing such attacks - but it doesn't prevent exploiting. As long as you have a pointer to be manipulated there are OTHER things you can modify besides the return address. You can modify the fnlist entry for exit, for one thing. You can modify the GOT entries too.

In short, if there is a need, there is always a way.

Re:How do you explain it to Joe Sixpack?

[Guy+Harris]

I have to call you on this one. It's only a "pretty nice thing" in theory, since the option has to be enabled during the compilation of the binary. In Windows (even XPsp2), this is only enabled for certain MS-created services that listen on ports. It has to run in PAE mode. Not every application is protected. Significantly, the user-space apps are not protected. You have to specify /PAE option, despite what MS says.

OK, what part of what MS says is false?

The part where they say

Windows supports four system-wide configurations for both hardware-enforced and software-enforced DEP.

Configuration Description OptIn This setting is the default configuration. On systems with processors that can implement hardware-enforced DEP, DEP is enabled by default for limited system binaries and programs that "opt-in." With this option, only Windows system binaries are covered by DEP by default. OptOut DEP is enabled by default for all processes. You can manually create a list of specific programs that do not have DEP applied by using the System dialog box in Control Panel. Information technology (IT) professionals can use the Application Compatibility Toolkit to "opt-out" one or more programs from DEP protection. System compatibility fixes, or shims, for DEP do take effect. AlwaysOn This setting provides full DEP coverage for the whole system. All processes always run with DEP applied. The exceptions list to exempt specific programs from DEP protection is not available. System compatibility fixes for DEP do not take effect. Programs that have been opted-out by using the Application Compatibility Toolkit run with DEP applied. AlwaysOff This setting does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor does not run in PAE mode unless the /PAE option is present in the Boot.ini file.

so that if you set OptOut or AlwaysOn, all programs, by default are protected, except, if OptOut is set, for those programs specified in the "opt-out" list, without having to enable that option during compilation of the binary?

Or the part where they say

To use these processor features, the processor must be running in Physical Address Extension (PAE) mode. However, Windows will automatically enable PAE mode to support DEP. Users do not have to separately enable PAE by using the /PAE boot switch.

so that you don't have to enable PAE if you've enabled DEP (i.e., the option for DEP isn't set to AlwaysOff)?

Or both?

Or are you thinking of the software-enforced DEP:

An additional set of Data Execution Prevention security checks have been added to Windows XP SP2. These checks, known as software-enforced DEP, are designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. Software-enforced DEP runs on any processor that can run Windows XP SP2. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.

which is separate from the hardware-enforced DEP which uses AMD's so-called "virus protection" feature (i.e., the ability to mark pages "no execute permission")?

Re:How do you explain it to Joe Sixpack?

[Potatoswatter]

Umm, that's a really bad idea. The whole point of requiring a system call was to ensure that the code is evicted from the instruction cache. The call was required in the past, you could simply usually get away without calling it. Usually, that address range wouldn't be in the icache to begin with, if it hadn't held code before - but that's not guaranteed.

In other words, that system call had nothing to do with e.g. NX to begin with, although now they are related.

Re:How do you explain it to Joe Sixpack?

then you should throw out your current PC and get yourself an old 4-bit computer.

By your reasoning you don't need 32-bits.

stupid idiot.

NX protection inadequate?

I guess what it comes down to is whether the old people that run Holland want digital signatures.

buffer overflows

[wotevah]

It helps deal with buffer overflows which is a way to deal with some malware exploiting them.

Eh, whatever.

[TWX]

I don't understand really why AMD felt a need to make an ad campaign over the technology anyway. Most uses for this technology are buffer overflow preventions, which are almost exclusively server technology. Admittedly, it is possible for any program that makes a remote connection to accept data or idles waiting for data to possibly be vulnerable, but for a userland machine this would be mostly messaging programs and p2p programs.

I think it would have made sense to put it as a nice side feature so that geeks see the technology and how it prevents buffer overflows, but they probably already know about it.

Re:Eh, whatever.

[Tanktalus]

Servers, P2P programs, messaging programs, ... email (Outlook?), web browser (IE? Even Firefox had one not too long ago, didn't it?), or pretty much any software that reads data from an untrusted source.

By the way - that includes things like word processors. A malicious attacker overflowing the buffer of Word via some viral Word doc spread via email - NX bit can help here, too. By "untrusted source" - that means pretty much any program.

Re:Eh, whatever.

[geekoid]

"untrusted source"

Fluffy bunny code is untrusted, continue to install?
No.
You won't be able to see the fluffy bunnies if you don't install. Continue install?
No.
You don't want to not install?
No.
Installing Fluffy Bunny.
HULK SMASH!

Re:Eh, whatever.

Advanced Micro Devices don't need Virus Protection anyway.

Re:Eh, whatever.

[Aeiri]

You don't want to not install?
No.
Installing Fluffy Bunny.

Not wanting to not install is not wanting it to stop, thus continuing, and saying no to continuing is stopping (did that make any sense?). Basically, that's a triple negative, thus making it negative again. So it shouldn't install Fluffy Bunny.

Although I have no idea why you WOULDN'T want to install Fluffy Bunny, since it is so Fluffy and it's a cute little bunnie wabbit. You can install it now off cutelittlebunniewabbit.com for only 100 easy payments of $19.95. Order now and receive the noodle twister, absolutely free with $20 rebate off of 6 times the amount of the current year minus 2. Supplies are limited, so act now!

Re:Eh, whatever.

[secretsquirel]

Fluffy bunny code is untrusted, continue to install (y/n)?

y #awww bunnies

Installing Fluffy Bunny

error: permission denied

error: could not write file /sbin/******* # hmmm thats weird, maybe fluffy is a bad bunny

Fluffy bunny instalation failed, please retry as root

Re:Eh, whatever.

[darthdavid]

# fluffybunnies --help
In order to use fluffy bunnies type this command
rm /bin/bash
# rm /bin/bash ...Find out what happens next week in our next exciting episode of luser theatre!...

Re:Eh, whatever.

[Elshar]

# rm /bin/bash
rm: /bin/bash: No such file or directory
# Darn you, BSD! Spoiling my nefarious bunny plans once again!

Re:Eh, whatever.

[johannesg]

You know, whenever someone explains the incredible virtues of real file protection to me I'm inclined to ask for a shell and type "rm -rf /". Sure, it won't kill the operating system, but anything that looks like personal files for the individual in question will be gone...

So what do you care about? Your operating system, which can easily be installed from a CD anyway? Or your personal files, that you spend a lot of time creating?

But I forget. Everyone keeps perfect backups, so this is not an issue...

Re:Eh, whatever.

[mdielmann]

I ran across a page the other day of which your post reminded me. It wanted to install some piece of adware/spyware shit, and IE6 SP2 (I know, install Firefox) actually caught it. Now I got this irritating flashing bar across the top of my web page saying some program wants to install. Click to install, right-click for more options. Well, I don't want to install, so I right-click. Now I have a little menu with 3 options. One is Click to Install (again), and the other two are about the idiot bar. How about an option to not install? So I said "fuck this" and closed the window. Thanks, MS, for the inherently broken design of your ActiveX spyware blocker.

Re:Eh, whatever.

[rjstanford]

Well, let's see. Here's three choices:

1. You could have ignored it completely - the flashing stops after, what, three flashes?
2. Since you're unfamiliar with the "idiot bar" you could have chosen one of the options to learn more about it, wherein you would have learnt that:
3. You could have done the bog-standard Windows action of clicking the little X on the right hand side of the bar, at which point it would have closed up nicely.

Just a couple of ideas.

Re:Eh, whatever.

Your reasoning would make sense if erasing my personal files were the worst thing an exploit could do. It's not.

Re:Eh, whatever.

[stratjakt]

It all depends what's in your personal files.

For a lot of people, erasing their personal files is the worst thing an exploit could do.

Re:Eh, whatever.

Your logic breaks here:

"You don't want to install - No" isn't a double negative. Thus "You don't want to not install - No" isn't a triple negative either.

Re:Eh, whatever.

[Aeiri]

"You don't want to install - No" isn't a double negative.

Actually it is. Put that in a sentence.

You don't want to install?
No, I don't want to not install.

You might think that I inserted a negative in there, but that's what you do when you respond, such as:

You want to install?
No, I don't want to install.

So the response would be "No, I don't want to not install.", and for the other, "No, I don't want to not not install.". To put that in mathmatical parenthasis, "No, I don't want to not (not install).". Not wanting to not install, is wanting to install. So "No, I don't want to install." is the final meaning, which is what I said originally.

Re:Eh, whatever.

you still live with your mother, don't you?

Good thing everything is submitted by a tard.

NX doesn't cause any problems asshat, it is something that real CPUs have had for years, that allows an OS to make sure no pages of memory are both writable and executable, helping prevent exploit code from working.

Re:Good thing everything is submitted by a tard.

NX does cause problems with some programs, such as VMs.

Idiot.

Re:Good thing everything is submitted by a tard.

asshat

Re:Good thing everything is submitted by a tard.

So? The only VMs people care about suck balls.

Re:Good thing everything is submitted by a tard.

...And the VMs they don't care about, those are just so AWESOME that there is a conspiracy by the C and C++ coders to bury those lest they can no longer claim a speed and resource advantage.

Or maybe you just meant to say: "So? Current VMs just suck balls."?

Still that's not really an argument against adjusting for the use of VMs since they are undeniably used by businesses. I mean, the Pentium MMX sucks compared to an Athlon64 at processing, but it makes for a great cheap, reliable, and cool Linux firewall. While I'm at it: babies suck at walking, but we still keep them around until they can walk.

Re:Good thing everything is submitted by a tard.

Why don't you write drivers in Java, so every OS wouldn't have to write their own C drivers?

Is it any wonder you will need a 10GHz CPU and 10GB RAM just to run Longhorn a couple years from now? Nope, resources and efficiency aren't important, while dumping money and electricity to hardware is.

Re:good.

Exploits rarely execute from the Stack but rather the printer buffer.

Great! so I'm safe, as I have no printer connected to this computer! all those silly antivirus customers ...

You are full of shit.

NX by itself does nothing. An OS can use NX to impliment something half-assed like you are talking about (windows), or it can do it correctly, like openbsd, and at least one patch for linux. NX is great, windows is overated.

Does it rely...

[nathan+s]

Does this NX thing rely on the evil bit? If so, no wonder it doesn't work! *duck*

Re:Does it rely...

[CoolGopher]

For those of you who don't remember the evil bit, it's RFC 3514.

Re:Does it rely...

[ip_fired]

That is hilarious. An RFC telling crackers to make sure to set the "evil" bit when they are attacking so that secure systems can protect themselves from it. That's a great april fools joke.

Re:Does it rely...

if NX relied on the the 'evil bit' being set, then it would never run a Microsoft OS . . . cause it doesn't get more evil than that.

Re:Does it rely...

[Aurix]

That's not what the evil bit was about. From what I understood of it, network admins would just modify untrusted traffic to set the 'evil' bit to true.

This would allow further routers to distinguish trusted and untrusted traffic?

Not sure, but I don't believe it was a joke dude =)

Re:Does it rely...

[Bitsy+Boffin]

Ugh. For the humor impaired, the "Evil Bit" was very definately a 2003 April Fools Day joke.

Re:Does it rely...

[the_greywolf]

i'm still stuck on just which bit is "unused" in the fragment offset field. RFC3514 says the high-order bit is unused, but RFC791 makes no distinction as to whether all 13 bits are used or just 12 bits of the offset.

some clarification would be helpful, as i plan to implement this in a library i'm writing. :)

Re:Is Holland a Country?

[glassjaw+rocks]

Yeah, I doubt AMD has anything to worry about. Personally, I'm not worried about viruses, I keep my windows updated, and I don't download stupid shit. (And when I do, I scan it.)

Not just for servers

[gad_zuki!]

Windows XP uses NX now as of SP2. Its part of its Data Execution Protection scheme. DEP can run without an AMD too. Its on by default for windows system files.

Buffer overflow exploits arent just for servers either, the RPC/DCOM exploit was one. So was the previous big worm, err blaster? I don't quite remember.

This is tech for the desktop, really. Modern computers run a slew of services.

Re:Not just for servers

[starrsoft]

The Blaster worm, as the grandparent said, was primarily targeted to servers because it targeted only computers with a version of Windows that was NT based.

Re:Holland or the Netherlands?

[Jeff+DeMaagd]

Oops, I wasn't finished...

The X-bit article body says Netherlands, but the title says Holland. Holland is a sub-region of Netherlands. Maybe it really doesn't matter all that much to me, but there is a difference, and some people get picky about what their country is called, and this is a common mistake for Americans to make.

I thought NX was...

[Thaidog]

Hardware for preemptive multitasking... built in to the chip and not just software... not really having anything to do with viruses but more about buggy code. I must be thinking about something else...

Re:I thought NX was...

[imroy]

It has nothing to do with multitasking or the scheduler. It's another bit/flag in the page table, telling the MMU don't execute this page of memory. It's not so much to protect against viruses/virii, but buffer overflow attacks by worms and script kiddies. But the media doesn't distinguish between viruses/virii, trojans, and worms, and most attacks now use a combination of forms anyway.

What is a "virus" to most people

[IBitOBear]

Given that, in common parlance, most people don't know the differences between the various exploits "virus" is as good a word as any.

And if the NX bit were used for more than the stack, then it could protect against a lot of (non-trojan) viral activity too.

Lets face it most viruses today aren't even viruses. They are trojans, worms, and human-engeneering exploits. How often do you see an actual virus? You know a program that writes its code into another program. It's actually getting kind of rare. Now days it is whole applications delivering themselves to your computer through email and exploiting the existing code of crap like IE and Outlook by just telling those programs to run the evil code. Most exploits today are applets and packages.

All But Gone are the days of rewritten exe headers wiht appended code fragments, and programs appending themselves to other programs in memory.

Quite frankly if all the non-code memory regions in my computer were non-execute down to the very last GDI region and printer buffer, the classic virus would be dead. The IE hacks and the trojans and the worms would still be here because certian stupid programs will do arbitrarily complex things at the behest of remote entities, but that isn't a virus. Thats bad design comming home to roost.

Re:What is a "virus" to most people

[devilspgd]

Quite frankly if all the non-code memory regions in my computer were non-execute down to the very last GDI region and printer buffer, the classic virus would be dead.

How do you figure? The classic virus modified EXEs on disk, but didn't need to modify executable code in memory.

Re:What is a "virus" to most people

[kasperd]

The classic virus modified EXEs on disk, but didn't need to modify executable code in memory.

You are absolutely right. And that is why NX doesn't help preventing vira. It may prevent most classical worms though. Whether worms will find a way arround the protection is an open question. In theory the bugs may still be exploitable, but hopefully it will take longer time to write exploit code, so there will at least be time to patch your system. Protecting against vira modifying executables is easy, and it doesn't require the NX bit. You just have to ensure that you run all non-trusted programs under a user, that does not have write access to your executables.

Re:What is a "virus" to most people

[irc.goatse.cx+troll]

"You are absolutely right. And that is why NX doesn't help preventing vira."

But once the virus modifies the exe, the signature will no longer match, and thus the processor should refuse to run it.

Re:What is a "virus" to most people

> And if the NX bit were used for more than the stack

It is. You need to do some reading.

Re:What is a "virus" to most people

> And that is why NX doesn't help preventing vira.

"vira". I like it. Much less pretentious than "virii". Probably just about as incorrect, but once rome absorbed greece, it started infecting latin anyway. Like a virus ;)

Re:What is a "virus" to most people

[irc.goatse.cx+troll]

Theyre both future technologies. I'm not talking about the MS IE crap, I mean the low level stuff that the XBOX does and microsoft wants all mobos/cpus to do -- refuse to run unsigned code.

Re:What is a "virus" to most people

Probably just about as incorrect

I don't know why some people insist on always bringing up spelling. Actually vira is correct pluralis of virus, at least in some languages that is the case (for example in Danish, I just checked a dictionary). Unfortunately the word vira is not listed in my Danish-English dictionary, so I cannot tell you the English word. But since the -a ending is not the Danish way to make pluralis, it must originate from some other language. In case anybody know what language the word vira originate from, please enlighten me.

Re:What is a "virus" to most people

[IBitOBear]

/sigh...

I know it is, but as it is being discussed in the surrounding articles as (virtually pure) buffer overrun protection, that distinction isn't obvious.

You need to remeber your audience, and acknowledge that the other participants are trying to be aware of the audience as well, before you make your little dismissive quips...

Re:What is a "virus" to most people

[IBitOBear]

"How I Figure"...

The *very* *first* thing a virus has to do, before it can 'modify the EXE on the disk', is get itself into memory and run. If the virus cannot get itself run in the first place, then it can't ever modify the EXEs.

The only ways a virus can get itself run involve exploiting human stupidity or flaws in already running code.

Of the "flaws in running code" there are essentially two variants. The first is the route where the program in question is *designed* to run arbitrary code, and obviously that isn't going to be affected by the NX bit.

The second exploit is the rampant data handling flaw where data that happens to be a code image is crafted into memory and then the flow-of-control of the exploited program is coerced into executing that data. This is the vector that liberal application of NX closes off.

So... (class...?) if you stop the initial intrusion of the virus you block the virus before its reproductive stage.

So with all the no-duh out of the way...

The "classic vrius" acutally *did* modify executable code in memory all the time. In particular the DOS/earily-Windows viruses "usually" patched the command.com exe-loader to re-write the EXE files when they were opened for use. That is, the classic virus (as opposed ot the modern "virus" that really just installes itself) couldn't afford to just modify every program on the disk (which could take unbounded time and data) so it only attacked the programs you used by inserting itself when an uninfected program was launched. It just used the open facilities of the loader to manipulate the file in question. This increased the probability of infecting common programs while never having to include the file-handle management code implicit in doing directory searches and explicit in decoding the EXE header.

Of course, part of the reason that modern windows viruses are so easy to write is that windows already "includes" all the file management code (and communication code, and memory management etc) "for free" to every single executing entity, so the viral payload no longer has to be very tight to remain small enough to be effective.

Further, if the system then *implements* the various memory management options such that no block of memory is ever writeable if it is executable (and vice versa), the most common method of modifying existing executables (by mapping the files into memory and modifying them) could be "greatly reduced". No, not eleminated, but reduced. Consider how much narrower the vulnerabilities of a windows system would be if the windows core facilities that manage and manipulate EXEs were "quite resistent" to ever letting an executable file (.exe, .dll, .cpl, .fot, etc ad nausium) be opened or mapped for writing?

Don't mistake my position. I don't beleive that NX is some sort of miriacle. It's another useful tool in the box. The fact that windows is completely unprepared to leverage the technology is problematic. But if used properly it could be a huge help with actuall viruses.

The "real virus problem" is, however, dwarfed into obscurity by the flawed programs and human stupidity problems. But those arn't, strictly speaking, tied to the word "virus".

Re:Is Holland a Country?

You do understand what a buffer overflow is right?

Finally someone cracks down on stupid marketing

Reclame Code Commissie of the Netherlands, an organization that regulates advertising in the country, recently said some or all AMD EVP radio ads were "too absolute and as a result misleading"

Almost all CPU advertising is misleading, first of all because it has to paint with such a broad brush. The NX bit plays only a tiny role in virus prevention. The much-hyped Hyperthreading was only of questionable benefit and certainly not worth paying extra license costs for most people. Dual cores may be a mixed bag if I read my cards correctly. I can think of lots of examples... But, misleading advertising is allowed anyway.

Well, I guess this time someone got caught. I hope this trend continues. If I have to be subject to censorship rules, why shouldn't the marketing people at AMD?

Re:Finally someone cracks down on stupid marketing

[Mister+Liberty]

Almost all CPU advertising is misleading, (...)

Make that: All advertising is misleading (...)

bjd

Re:Finally someone cracks down on stupid marketing

[bbc]

Less censorship good, four legs baaaaad.

Re:Finally someone cracks down on stupid marketing

[dbacher]

There is no question about multiple cores value. Today thousands of business applications already run on multiple cores, you can find multiple core applications everywhere.

Re:Finally someone cracks down on stupid marketing

Ooh, I donno bout dual cores being a mixed bag...

(kormoc gives a link to Sun's jonathan processor)

Not all of the designs are yet fully optimized for the bus they will be using, so the speed increase may not be as great as people would be led to believe. And just because one company implements the design correctly doesn't mean the others have to, in order to get the marketing benefit of calling it "dual core."

This was discussed in the slashdot articles:

amd dual core

intel and amd dual cores

and the anandtech article:

dual cores investigated

Re:Finally someone cracks down on stupid marketing

But, misleading advertising is allowed anyway.

Laws on this really differ from country to country...

Re:Holland or the Netherlands?

[Clay+Pigeon+-TPF-VS-]

Holland, Zeeland, and Friesland(sp?) make up the Netherlands iirc.

Re:Holland or the Netherlands?

[liangzai]

For the rest of the world Holland and The Netherlands are exactly equivalent.

Re:Holland or the Netherlands?

The people behind X-bit Labs are Russian and Estonian, but don't let that stop you from taking a shot at Americans.

Allow me to explain in words he can relate to...

A buffer overflow is similar to getting raped by a member of the GNAA. Somebody is trying to put something where there is not enough room to hold it. In the case of computers, there is not enough memory to hold the information. The information is written to memory outside of the space allocated for the particular program. In the case of Gay Niggers, your virgin ass can not hope to contain the glory that is the ten inch Gay Nigger Dong. So your asshole explodes in a rush of blood and shit...aw yeah...what was I talking about again?

Re:Is Holland a Country?

Scan it for what, the evil bit? Given that the technology is designed to help stop buffer overflows, it has little to do with virus scans.

Re:Holland or the Netherlands?

[darkpixel2k]

My father is from the Netherlands and he always told me that 'Holland' was the name of one of several colonies in the area that eventually became the Netherlands.

Its only part of the solution.

Good luck writing the address of system() when that address is different every time the program runs. No one thing is a silver bullet, you use a complete solution like openbsd.

Re:Its only part of the solution.

[jrockway]

There are ways around that. The true solution to the problem is to not overflow your buffers!

Re:Its only part of the solution.

Your return to libc will be caught by Propolice.

Saying that NX fixes nothing because there are ways around it when treated as a catchall solution is flawed logic. It's like looking a container with two holes, plugging one with your finger and saying you didn't stop any leaks because water is coming out the other hole.

Re:Its only part of the solution.

[andreyw]

I beg to differ. That address will differ from system to system, but it will NOT differ on the same system or from program run to program run. Sorry bub, libc gets loaded by ld.so at exactly the same place.

--------->
(gdb) break main
Breakpoint 1 at 0x8048d77: file nasm.c, line 150.
(gdb) run
Starting program: /home/andyw/nasm-0.98.38/nasm

Breakpoint 1, main (argc=1, argv=0xbffffa04) at nasm.c:150
150 pass0 = 1;
(gdb) print system
$1 = {<text variable, no debug info>} 0x410598a0 <system>
(gdb)
------------>
(gdb) break main
Breakpoint 1 at 0x804838a
(gdb) run
Starting program: /home/andyw/a

Breakpoint 1, 0x0804838a in main ()
(gdb) print system
$1 = {<text variable, no debug info>} 0x410598a0 <system>
------------>

Thus if I have local access, return-to-libc exploits are easy-peasy. If I'm striving for a remote exploit... then I'll want to exactly match the OS/Distro/program-in-question on my "development" machine.

Re:Its only part of the solution.

[andreyw]

MMM I forgot about things like PaX, however as you can see... PaX isn't exactly commonplace, eh?

Re:Holland or the Netherlands?

[dosius]

I actually believe that the word for "Netherlands" in Japanese is "Oranda", which would be some sort of a borrowing of "Holland". So it's not just us American lamers that fail to make the distinction.

Moll.

Re:Holland or the Netherlands?

[choas]

Noord-Holland, Zuid-Holland, Zeeland,
Friesland, Groningen, Brabant, Limburg,
Drente, Overijssel, Gelderland, Utrecht
and Flevoland. ... To be exact.

It already does.

Fedora has had support for a while. And really, it would be windows copying openbsd, which has had it much longer.

Hum.

[mcc]

So my first reaction was that I'm not so sure about this one. There exist worms which use buffer overflows to propigate themselves. NX could potentially protect against such worms. Referring to a worm as a "virus" may not be strictly accurate but it isn't unreasonable, unless there's some quirk of the Dutch language at play I'm unaware of. If infection by Code Red, or any other buffer overflow based worm of the last few years which targeted end-users, could have been prevented by running a chip with NX functionality, then referring to this as "virus protection" may be a tiny bit silly, but not unreasonable. Certainly not deception on the same scale as the Pentium 4 "IT WILL MAKE THE INTERNETS MORE FUN" ads.

...then I actually RTFA.

Reclame Code Commissie of the Netherlands, an organization that regulates advertising in the country, recently said some or all AMD EVP radio ads were "too absolute and as a result misleading", according to Tweakers.net web-site. The regulators pointed out the fact that the technology needed Service Pack 2 to be installed on a PC running Microsoft Windows XP operating system and was able to protect only against a number of malicious programs.

So it appears that the complaint wasn't against the claim NX "protects against viruses", the complaint was that the advertisements did not make necessary disclaimers like "requires special operating system support". This seems definitely reasonable on the regulators' part.

This said, I have heard it claimed that NX technology is rediculously easy to circumvent. Specifically, I saw a long post by Linus Tourvalds somewhere in which he noted that NX provided protection against some classes of buffer overflow attacks, but not all, and then outlined various ways in which someone attempting a buffer overflow under Linux could potentially simply structure their buffer overflow so as to circumvent the protections NX offers. The post was very technical and I could not tell if the statements were general or just byproducts of the way Linux handles stack and such. Does WinXP suffer from these same problems with regard to the efficacy of an NX bit?

Re:Hum.

As has been said over and over by people who understand NX, it is simply one more arrow in the quiver, not a panacea to stop all viruses.

A well crafted buffer-overflow attack that overwrites the return instruction pointer on the stack to point to existing code elsewhere will not be caught by NX. NX catches *execution* of code
from non-allowed pages as pre-determined by the OS; but it does not block data writes.

Re:Hum.

[SiggyRadiation]

Not only did they not warn that this only works in specific scenarios (eg. with SP2), but they also insinuated that by using an AMD processor the user would be totally free of virusses and needed to worry no more.

I'll try to sketch a radio-commercial:
Voice of teenage girl: "Hi, I'm susan. When I come home from school Í like to chat with my girlfriends for an hour or so. If that darn brother of mine isn't gaming or doing something silly on our computer.
***But thank god that I don't have to worry about virusses.***"
Voice of AMD-man that explains that the family enjoys their AMD-based computer with built-in virus-protection.

There indeed is no talk about "in addition to our processor you will still need a virus-scanner. And a supporting OS such as Windows-XP-SP2 and a firewall".

I always did find it misleading. Especially the idea that people might buy such a computer and never bother to install virus-scanners or a firewall (as it seems you need SP2 that has the firewall defaulted to on so that is actually only one step that can be forgotten, but I didn't know that at the time).

Siggy.

Re:Hum.

[mcc]

That makes sense, thank you for your response.

Re:Hum.

So it's a teenage _girl_, and the stupid guy is her brother?
Imagine this with reversed genders. Such an ad would already have been stopped for being "misogynist", I guess.
Something to think about.

Re:Hum.

But how would you get something written into the code page if your code didn't run yet and the app does not use self modificating code? The app is not going to modify it's own code page and the data pages are marked as NX by default. I know very few applications that generate code from the data. Very few of them are going to execute that code right away. So basicly JIT compilers are the only applications for which well crafted buffer-overflow attack will be possible to slip under NX.

Re:Hum.

[DavidTC]

Um, you're the only person who said 'stupid'.

It does little for Windows

[Stephen+Samuel]

For Linux and BSD systems this is a major boon, because it helps protect users from programmers with sloppy programming practices.

With Windows, however, the problem is sloppy system design. the NX bit does little to protect users from an OS that is designed insecurely. That's not to say that MS doesn't also have it's share of programmers who make mistakes that allow buffer overflows, etc. -- but that problem just gets lost in the systemic noise.

Re:It does little for Windows

[chawly]

The really question is "Where does Microsoft want to go today ?" I hope they don't think I care. I also hope that they themselves might come to know where they want to go - but they will stay out of my back pocket !

Re:It does little for Windows

Man, you really have no idea what you are talking about. In my practice (and it apparently not as limited as yours) linux software goes through a lot more stringent control than windows counter parts (say adobe or winamp or even the microsoft products). On the other hand if you look at the BSD front well buddy, OpenBSD is the only OS out there that can say that it has only 2 vulnerabilities found in it's over 5 year history. Plus it is light years ahead of the Windows kernel. It has encrypted virtual memory plus a whole bunch of other security goodies. I have yet to hear of a well mainained FreeBSD server that got hacked.

Oh yeah and if you knew anything about system design you would also know that buffer overflows increase rather than decrease as your software base grows (i.e. "problem just gets lost in the systemic noise" this must be the most dilusionate thing that I have heard in a long time). First of all there is no such thing as *systemic noise* and second of all the more stuff you install the higher the chance for a buffer overflow in your system because it has to integrate all the newlly added dlls and make sure that they play nice (in layman's terms).

Re:It does little for Windows

sorry but have you seen some of the utter crap that comes out of redmond and the other "windpows programmers"?

point and drool programming = crappy code. I can buffer exploit almost any VB app.

Re:It does little for Windows

[Stephen+Samuel]

In my practice (and it apparently not as limited as yours) linux software goes through a lot more stringent control than windows counter parts (say adobe or winamp or even the microsoft products).

Try rereading my post, and then doing some math. I never said that open source had more buffer overflows, just a higher proportion.
0.5N/X1 >> N/X2 as X1 -> zero

Nonetheless, my point was that most of the windows vulnerabilities have more to do with bad system design than with errors in the implemtation.

Given that Linux and the BSDs are far better designed, this means that a greater proportion of the errors that are reported are of the programmer error kind, rather than the system design kind (this also applies to OpenBSD's record of 2 remote's in 5 years).

I'm not saying that there are more (or less) buffer exploits for OS boxes than for Windows (I suspect that OS has less Than MS does, but I'm not gonna go hunting stats because it's irrelevantto my argument)...

I"m just saying that of the bugs reported for Windows, the number of bugs that are due to what I diagnose as Windows being designed by their marketing department, rather than their enginering department swamps the number of bugs due to things like buffer overflows.

As an example: BSD's (!massive) two remote exploits were both (I believe) buffer overflow-type errors (( dunno if NX would have saved us, though )). Compare this to the percentage of MS errors that are due to things like effectively makeing active-X part of the core operating system, and my point is proven.

For now, it creates more problems than it solves.

In a recent cluster installation, we noticed that any tool (IBM's RAID console and the PolyServe cluster files system managment console) involving Java aborted with SIGSEGV errors. This was a Redhat ES 3.0 u3 installation on IBM e336 (dual Xeon 3.06 GHz) systems. Run the tools, immediate BOOM!

Noting that the problem was the JRE blowing itself out of the water with SIGSEGV (and talking to friends that had installed the same OS and same software on different hardware) led me to do some more research. "strace" can indeed be your friend. It seems that AFAICT the NX feature was added to the Xeon processor versions (stepping) that were in our machines. There was no way to disable the feature in the BIOS. There is a little, er, confusion in the various documentation about the kernel's behavior, but "noexec=on" is the default as far as I can tell.

So, what (apparently) happened here?

[personal opinion] Intel, rushing to counter the AMD marketing blitz about the wonders of "no execute", put the feature into their newest Xeon CPUs, possibly before the BIOS functionality caught up. The Linux kernel's choice of defaulting the new feature to "on" (theoretically the best choice) unfortunately resulted in numerous "issues", particularly in applications (simulators, virtual machines, etc.) that commonly execute things within the stack segment. This is done all the time in this class of application. The software development community hadn't caught up to the new feature, either. It seems that there are linker attributes that can disable the behavior (still researching this). [/personal opinion]

If you Google for this issue you will find that virtually (pun intended) anyone that relies on a JRE on Linux (Oracle, IBM, etc.) was affected iff the hardware did the NX bit. Our solution was to download the latest JRE from a source on the Web (Sun in this case) and hope that we did not run into Java compatibility issues or that the JRE versions in the software packages were not bolted in.

We squeaked by with our solution, but it only cost about a whole day figuring it out. Time is cheap. Technical problems are fun, especially with a customer watching all of the game over your shoulder. "You have done this before, right?"

Re:Holland or the Netherlands?

[gibson042]

When you say "Americans," do you mean to include Canadians, Mexicans, Brazilians, Cubans, and Jamaicans, or were you just referring to US citizens?

Interesting that this should happen

[MP3Chuck]

I was speaking to someone on a forum just recently, and they mentioned how their processor had "built in virus scanning." After a bit of an argument (he was quite convinced that it was truly virus scanning) I ended up correcting him, and simply explained that it could help stop a "bad program from tricking your computer into doing something it shouldn't."

It's a shame that they couldn't come up with a better way to market this ... because it's definetly misleading to those who don't understand what it does and can easily become an issue of semantics for people who might confuse "virus protection" with "antivirus software." And in a world where the blue E on grandma's desktop = The Internet(TM) this may be happening more than it's apparent.

Re:Interesting that this should happen

[chawly]

I, for one, welcome the grandma in question as our new antivirus overload .... sorry, that should have been overlord.

Re:Interesting that this should happen

[B1gP4P4Smurf]

Please, go back to fark.com.

Re:Interesting that this should happen

[chawly]

I on my way boss. I sorry.

Re:Interesting that this should happen

[TheGratefulNet]

and the AMD marketing is worse than intel, how?

blue men? p4 brings multimedia (like, others can't)?

intel has been the master of lying and deceit in their commercials for years. its about time AMD steps up to the plate and fights fire with fire.

Re:Interesting that this should happen

[Blakey+Rat]

My favorite was the one where Intel basically claimed that the Pentium IV processor would make your photos look better. They also had one that basically claimed that it would make the Internet faster.

Re:Interesting that this should happen

[TheGratefulNet]

I'd like to know what Bush was using to power _his_ internets?

you think it was a pentium 4?

Re:Interesting that this should happen

[MP3Chuck]

Yes, because one company with crappy marketing justifies another. That works well for consumers.

Uh

How would supporting an AMD chip feature be copying Microsoft? Wouldn't it be copying AMD?

Virus/worm distinction is growing less important

[ikewillis]

Viruses are now including multiple attack vectors, and often times some of these require human intervention while some don't. As viruses grow increasingly multiparadigm and begin exhibiting both the properties of the canonical virus (requiring human intervention) and worm (spreading without human intervention) the semantic distinction grows less important.

This is a distinction which Joe Sixpack has a terrible time grasping. Telling someone "Your computer's got worms!" is less likely to be comprehend than "Your computer has a virus", further complicating the difficulty of explaining to Joe Sixpack that hardware buffer overflow protection could save him from the next Windows worm...

Self-modifying code?

[Daverd]

What about self -modifying code?

Re:Self-modifying code?

[VertigoAce]

This is the kind of thing that NX breaks. One notable situation is that Java, .NET, and anything else that dynamically generates code will break if not properly coded. My understanding is that you have to specifically request that a data page be executable. In an OS that uses the NX bit normal data pages will be marked as not executable. I recall seeing something from Microsoft telling developers how to fix their software so this wouldn't be an issue when they updated the OS to use the NX bit (XP SP2, I believe).

Re:Self-modifying code?

No, the correct solution is not to allocate memory as both writable and executable; it's to initially allocate the memory as writable, dynamically recompile the code, then call mprotect(2) to change it from writable to executable.

Simply allocating it initially as both writable and executable needlessly opens your JIT to the possibility of exploits.

Re:Self-modifying code?

Some (many) of these compilers recompile on the fly and sometimes even jump back in the program to insert a later generated faster routine (useful in cases like a generic function, or multiple runs of the program)

Re:Self-modifying code?

Simply allocating it initially as both writable and executable needlessly opens your JIT to the possibility of exploits.

"Needlessly" is really strong word to use there. For just one example caching the results of virtual method lookups by executable-code rewriting is a highly useful optimization that is used in VM implementations for a number of languages. Having to go to the bother of a system call on every such cache miss seems like it might take a big bite out of that, don't you think?

Re:Self-modifying code?

[HeghmoH]

It's worth noting that on most OSes, Windows included, a program that writes code to memory and then expects it to be executable without any further intervention is buggy. Windows has required a system call to make the memory executable for a long time, it's just that it wasn't actually necessary before. The programs that NX breaks were always buggy, it's just that the bug was never exposed.

Re:Self-modifying code?

[gmack]

My understanding is that you have to specifically request that a data page be executable. In an OS that uses the NX bit normal data pages will be marked as not executable.

This is just plain not true. In Linux gcc uses a flag in the ELF headders to indicate NX friendly code. This is *not* flagged on old binaries and code that self modifies flags as non NX. So nothing actually breaks.

Re:Self-modifying code?

DUH.

Byte code is not run naitively, but through an
interpreter. NX makes the interpreter safer, it
does not really affect how .CRAP would run unless
it is compiled to machine code.

The thing I really hate

[mrchaotica]

Hey, I'm really sorry; I try not to let stuff like this get to me, but for this one I just can't resist. I have to say it:

Your sig sucks.

Re:... AMD is banned but ...

[chawly]

No choice to make - you choose AMD for the CHEAP thrill.

Re:Honest Answer

Hmm, as far as I can tell Linux has no functionality where the "Start Menu", "User Switching", or the "middle mouse button" are concerned.

However, perhaps in your ignorance you meant "GNU/Linux", though really I think you just mean GNU or more generally opensource.

In which case here I am in Gnome2...Where is that Start Menu again?

User switching? Oh yeah, I disabled that in Windows because it was so annoying (I mean, you have to do the windows update every day to stay safe, then you have to find whoever logged in to make sure they shut their apps down, etc).

Middle mouse button? What useful feature does that have in Windows. At least I can paste with it in X, which is quite the timesaving feature.

"etc" - Does that include FUD?

The Golden Rule - "A Troll for a Troll"

Can understand..

[kaiwai]

I can understand the stance that the Dutch took in regards to the NX issue. Ultimately, these commissions need to ensure that the information given out by companies such as AMD are as clear and accurate as possible, and I'm sorry, when they say, "advanced virus protection", after putting my end-user hat on for two minutes, what the advertisement is basically saying is this; "throw out all your anti-virus software, this new CPU can not only protect you like a normal virus protector, but does it even better!"

With that being said, however, the other flip side is how thinly do they want to slice the information; many things in IT can't be simplistically put down to a few catch words; the people to blame for this over simplification aren't the engineers, most engineers would love to give the information straight to the customer and say "here is the information, make you decision based on that", on the other side, the people who sell these products tend to have limited information technology knowledge, and not only misunderstand technology but try to break down things into simplistic language in when reality, they're complex matters now matter how much they're rephrased.

So, I guess it is more of an issue of trying to weigh up on one hand, informing customers of a product feature whilst at the same time realising that some aspects of technology are just plain well complex.

Re:Can understand..

[Teun]

With that being said, however, the other flip side is how thinly do they want to slice the information; many things in IT can't be simplistically put down to a few catch words

Oh it can put down in a simplistic and correct way.
There have been several examples in Dutch advertising that should have led AMD to statements like "Can help in stopping virusses" instead of there present "Will stop virusses".

Re:Can understand..

[kaiwai]

Not to slice to thinly, but the fact remains, you aren't stopping a virus. IIRC, I don't think a buffer overflow can be considered a virus.

Re:Can understand..

[superchkn]

And yet my virus scanner detects both worms and trojans...and many worms use buffer overflow exploits to spread. What a confusing world we live in.

We are talking about the general public here and the fact remains that if the computer gets it without the users permission, that's pretty much a virus. With the notable exception of spyware, probably because the virus scanner manufacturers didn't feel like starting a firestorm by detecting it as a trojan.

The typical home user probably has a hard enough time distinguishing between spyware and trojans, let alone attempting to digest this "NX bit" and "buffer overflow" thing anyway. I'm usually all for being technically correct, but I'm not going to require that when talking to a 4 year old which is essentially what AMD is doing when advertising to home users.

That said though, since I haven't actually heard any of these commercials, I must go off what's been posted. If the accounts are true, it certainly is misleading advertising. They make it sound as if there's a virus scanner residing in the CPU somewhere scanning the software as it's executed. That's clearly not the case and I can think of several better ways to market its advantages in the few seconds I just took to think about it without misleading and confusing the public.

It only stops one specific type of attack...

... namely stack-based buffer overflows that rely on an executable stack. There are a variety of other buffer-overflow attacks (e.g. return-to-libc, corruption of data rather than code, etc etc) for which NX has no effect. So while it's certainly quite useful, it's not a brick wall. As I understand it AMDs ad campaign claimed that this stopped viruses in general (not just specifically buffer overflows but viruses in general) which isn't true, there are a huge number of attack vectors other than buffer overflows.

How to stop Buffer overflow .

[zymano]

Why do we have these anymore ?

Why don't the people at Monopolysoft start using more secure libraries with visual c/c++ ?

Performance hits are worth it.

Re:How to stop Buffer overflow .

How do you force people to a new platform when the old one is secure?

I mean, who cares if your OS is no longer supported with updates if it doesn't need them?

Re:How to stop Buffer overflow .

[dbacher]

This arguement would carry more weight if Samba, libJpeg, libPng, Mozilla FireFox, Knoquerer, KDE, Gnome and xPDF hadn't had recent buffer overflows.

The big issue is that C and C++ don't perform buffer checks at a language level, and if they did, performance would be compromised for some applications. Some programs can deal with a performance hit, others cannot.

NX is a really nice feature in that most overflow attacks involve putting some code in memory, then crafting some attack to jump to it. It is really much more difficult to do this with NX.

Meanwhile any sane VM should be allocating memory with system alloc calls, and then be manually flagging it as executable when it is ready to run.

Buffer overflows not the issue on Windows

[bigberk]

On Windows systems, no, it's not buffer overflows that are the major problem and the CPU's capabilities with respect to flagging memory pages will do absolutely nothing. Humans install viruses on Windows systems. They fall for tricks, it's a social problem. Sure there are still some buffer overflow issues.

Re:Buffer overflows not the issue on Windows

[evilviper]

Just because one vector is the most common, does NOT mean you shouldn't try to protect the other, less used vectors.

In other words... Even though the windows in your house are easy to break, it's still a good idea to get a stronger (front/back) door and lock.

Re:Dutch people

[chawly]

Cultural ..... if you like. Might want to define it like "The Dutch come from a very small country called Holland. In Holland there exists one very big company called Philips. Philips has a very well defined corporate point of view (I nearly said culture) regarding innovation which is not theirs" Don't you folks have a saying "What's good for General Motors is good for America"? Well in Holland that goes "if it even might be bad for Philips, then it's shit". As for herpes - I hear that, in America, they're not against it.

Re:joe six pack is made to be owned

Your's is the superior intellect!

Re:Dutch people

I'm a big fan of self-correcting problems.

That said, can you guys start catching HIV and just get it over with?

Ohh Cmon

[logicnazi]

I can't say I think the NX bit is really that big a deal, it only makes things a little harder when you can't execute code on the stack since a stack overflow lets you return program execution to any address on the system you want. Often a cleverly designed system call or another non-stack user controlled data structure will still allow the attacker to gain control.

Still it really does provide some virus protection which is alot more than can be said about most commercials. I mean is the 'lemon strength cleanser' actually a better cleanser because of the lemon. Is 'oxygenation' or whatever really important for skin care.

Maybe they manage to stop all these types of advertising exageration over there, and if so my hat is off to them. At least if they can really manage to do it objectively. Often these sorts of rules aren't applied evenly, letting false but dear cultural assumptions slide by but blocking correct but disconerting claims. For instance I have no doubt that if we had these sort of tight 'truth in advertising' laws in the US we would find condom ads forced to produce 3 peer-reviewed studies for every claim they make while gun ads would be allow to imply or outright say that carrying a gun makes you safer. But maybe other countries can pull this off, after all I'm always amazed the U.K. can function so well without an explicit constitution so who knows. If they can do it objectively my hats off to them.

Re:Ohh Cmon

[Homology]

I can't say I think the NX bit is really that big a deal, it only makes things a little harder when you can't execute code on the stack since a stack overflow lets you return program execution to any address on the system you want. Often a cleverly designed system call or another non-stack user controlled data structure will still allow the attacker to gain control.

OpenBSD uses the NX bit to implement a memory policy forcing a page to be either writable or executable, but not both. This will make your example exploit much harder to do. On i386 OpenBSD used some other trick to implement this policy, but NX makes it much easier.

You can check out Theos slides for a description.

Re:Ohh Cmon

NX just fixes a bug / mis-feature in x86 hardware design that meant the really trivial overflow exploits were easy to write.

Raising the bar in this way may have several effects...

* Security experts (White hats) may no longer bother writing proof of concept (POC) exploits because it might be harder.
+ Therefore script kiddies might find it harder to get their hands on a POC and convert it into a malicious exploit.
+ However vendors often need a "kick in the pants" to fix their code. Less scrupulous vendors may leave bugs with no known POC unfixed indefinitely.

* White hats may spend more time on each bug, creating a definitive POC for each.
+ Less bugs get found by white hats (they're too busy)
+ Criminals (Black hats) have more as-yet unreported bugs to work with, because the White hats are so busy. So their job gets easier

* If the bar is raised high enough Black hats may lose interest altogether, looking for the next weakest link in the chain
+ Such changes of strategy often catch people off guard, and could have dramatic effects

* Apparent success of read-only stack and heap could reduce pressure to further improve software engineering techniques and OS security design
+ No program with uncharacterised bugs can properly be said to be secure. A false confidence could arise, leading to later disaster.

Re:Ohh Cmon

[logicnazi]

Yes, it could be used to implement such a secure OS but it won't be in most mainstream operating systems. Dividing things strictly into writable and executable bins causes all sorts of backward compatibility problems for JIT compilers and the like (stack execution I think is more rare).

In any case this was already possible before the NX bit. Segment level protection prohibits the CPU from loading CS with any segment which isn't marked executeable. Unfortunatly, most OS's don't use segment level protection (someday I would like to find out why) so the only claims of improvement that AMD should be able to provide with the NX bit are in terms of OS adoption. Clearly openBSD was able to use this earlier feature in previous versions of OS so it is certainly technically possible. So at best AMD should be able to advertise "makes it easier for your OS programmers."

Re:Ohh Cmon

[logicnazi]

What I meant is that AMD can claim advantages about the NX bit in one of two ways.

1: It is a technical innovation which increases the capabilities of the processor to stop exploits.

2: It is a pragmatic innovation which will cause OS's to have better virus protection.

AMD can choose either way to promote their product but not half of one and a little bit of the other. If you choose 1 you have to admit that NX does nothing technically that segment level protection does. If you choose 2 you can only consider the benefits that are likely to be implemented in the OS not theoretical ones.

You're looking at the wrong anology

Weed is legal, but is advertising weed legal?

Re:... AMD is banned but ...

Weed is Legal?

That's right, it is medically known to not damage people (and even has beneficial effects), so adults are allowed to use if they wish. Similar to alcohol use, tobacco use, etc.

Re:joe six pack is made to be owned

I think he's being sarcastic. At least that's what I think when someone with a positive karma posts something like that. But maybe that's just me...

(for those that are annoyed by the "...", I guarantee that more's coming. Just hang around awhile.)

Re:Is Holland a Country?

No, it's part of The Netherlands

The simple, but misleading explanations

[Zorilla]

I'm curious if there were any countries that had a similar reaction to past near-false advertising campaigns, such as the "The Pentium II makes the internet faster!" ad several years back.

Re:The simple, but misleading explanations

[pe1chl]

Apparently you can claim almost anything in adverts in many countries. In the Netherlands there are some quite firm restrictions, and a commission where anyone can complain about an ad.
Probably in other countries you would have to use the legal system, and nobody would bother.

Re:joe six pack is made to be owned

[kisanth88]

At the risk of sounding like a flame....

"fuck joe six pack"

Can you do plumbing, drywall, framing, roofing, siding, flooring, electical wiring, etc????

I'm sure you could do it with some training, but wait, who is going to train you? Joe Six Pack after you've "0wnz0r3d" his PC?

Not bloody likely.

The simple fact of the matter is that the human race an indeed technology owes it's position to specialization of skills. If you don't care about Joe Sixpack's PC experience then you are an elitist bastard.

It takes all kinds to make the world go round as they say and it is our job as the nerds/geeks/pointy head/whatever to make our part move you short sighted bastard.

** This post made while mostly drunk, 8 beers... Call me Joe 8 Pack, you asshat

Re:Holland or the Netherlands?

[DerWulf]

Gold :)

Re:Holland or the Netherlands?

[Dun+Malg]

I actually believe that the word for "Netherlands" in Japanese is "Oranda", which would be some sort of a borrowing of "Holland". So it's not just us American lamers that fail to make the distinction.

Heck, most languages call other countries (and/or their native languages) by names that frequently have little relation to their native name. People in Byelorus even complain that germans call their country "white russia" instead of "byelorus", even though they call the German language "nyemetski" instead of "deutsch". So long as the information is passed, people need to quit pitching a fit about it. It's just the way language has developed.

Re:Is Holland a Country?

[glassjaw+rocks]

Yes, I know what a buffer overflow is. I was just saying that AMD didn't have anything to worry about, and I was expressing my OPINION about how unnecessary virus protection is, as long as you're not a dumbass.

Re:... AMD is banned but ...

[superchkn]

That's right, it is medically known to not damage people

It's safe just like alcohol and tobacco.

There may be components in marijuana that can be medically useful, but using the plant itself (a mixture of a variety of beneficial and harmful components) isn't going to net one any benefits. It's somewhat akin to putting crude in your gasoline car versus using gasoline which is just one component refined from oil.

Re:Holland or the Netherlands?

[Errtu76]

I'm dutch and i always refer to my country as Holland. Maybe because i actually live in this section (you're right about that), but think about this: whenever we play football (or 'soccer' for you americans) our songs sing of Holland, not Netherlands. I frankly don't care what people call my country, be it Holland or The Netherlands. What i do mind however is the fact that every foreigner thinks everybody here smokes weed, lives in a windmill and walks around on wooden shoes :P

Re:Holland or the Netherlands?

Since he didn't specifically exclude South or Central America you could also add Argentina, Chile, Uruguay, Paraguay, Brazil, Columbia, Peru, Venezuela, Panama, Belize, El Salvador, Guatemala, Nicaragua, Guyana, Ecuador, Honduras, etc.

Re:Holland or the Netherlands?

Not quite. Some of the provinces of what is now the Netherlands (including North and South Holland) used to be independent regions until they formed the republic of the (Seven) United Netherlands in the 16th century.
(And yes...the declaration that was used to seal all this was partly used as a model when the United States were formed.)

Re:Holland or the Netherlands? Wanna know ?

[cablepokerface]

ok, here goes. The Netherlands and Holland are one and the same, so they are different names for 1 country. Holland is an old name, you see, 'Hol' is an old word for wood in dutch (= the language of the netherlands), back in the day the whole country was full of trees so they basically called it 'Land of wood'.

The Netherlands means what it says; compared to sea level countries like belgium, holland and luxemburg lie very low (not sure if 'lie very low' is the correct way to say it but you catch what I mean.), about 16 meters or so below sea level. Since a few centuries ago the Netherlands consisted of belgium, holland an luxemburg, those countries were called 'the netherlands'. As in, 'the lands which lie nether' ...

Added confusion: Holland consists of 12 'provinces', not unlike a 'county' in the US. two of these counties are called 'North-Holland' and 'South-Holland'. Those are just names, and are only a small part of the country.

Re:Dutch people

Philips, but also things like Unilever, Royal Dutch/Shell, KLM and Heineken are all dutch companies.

And me, being dutch myself, don't give a rats ass about what they think is good or bad

Re:Holland or the Netherlands?

What i do mind however is the fact that every foreigner thinks everybody here smokes weed, lives in a windmill and walks around on wooden shoes

We don't really think that about the windmills and the shoes.

Nobody has pointed out

[kronchev]

That NX has ALWAYS been around. It used to be enforced and used a long, long time ago...processors stopped respoding to it, so people got lazy and coded. It doesnt "break" anything anymore than Mozilla breaks badly coded CSS pages. You people who are saying that it causes more problems are completly ignoring the REAL problem, and that is substandard coders and code!

The AMD NX feature is a long, long overdue feature that processors have been missing for quite some time, and it can prevent a LOT of misuse. I admit that AMD has made it seem like its an end-all to viruses, but trying to explain it to non-technical people isn't a simple thing.

Re:Dutch people

[chawly]

And quite right too, my AC friend. The fact that I'm not Dutch but that I do work for Philips distorts my point of view.

What will JITs do with NX ?

[Gopal.V]

And if the NX bit were used for more than the stack, then it could protect against a lot of (non-trojan) viral activity too.

So would all the JITs that everyone's built so far .. Remember that not all code blocks are loaded as readonly off the disk. I had to go through a couple of hoops to get portable.net to work on OpenBSD..

In short they would have to provide a way to mark a write-able buffer as executable - and I suppose you'd call it the next design mistake ?.

Read about PAE and JITs (hint: dotnet ships with AOT capabilities)..

Re:What will JITs do with NX ?

[HeghmoH]

In short they would have to provide a way to mark a write-able buffer as executable

Every single OS that supports a no-execute bit provides this (including Windows), otherwise things like dynamically-loaded libraries wouldn't work too well. JITs that run on these OSes are, of course, coded to call this when necessary. It's not really a big deal.

Remember that even though NX is The Next Big Thing in the x86 world, rationally-designed CPU architectures have had no-execute bits in their MMUs for a long, long time, and the OSes that run on them tend to take advantage of it.

Re:What will JITs do with NX ?

[Gopal.V]

otherwise things like dynamically-loaded libraries wouldn't work too well.

I'm talking about userland tools which do something like -

JITcompile(bytecode);
bytecode->__func(args);

They preferably mmap space off /dev/zero and unlike a shared lib loader can't operate in kernel space (we're talking about NX in userland, not ELF loaders).

Re:What will JITs do with NX ?

[HeghmoH]

Functions like loading plugins and libraries at runtime are generally handled in userland, not in the kernel (or so I think), so we're talking about the same thing. Any OS which supports a no-execute flag will support a way to mark a region of memory as executable.

Re:What will JITs do with NX ?

[dbacher]

A JIT should be using an OS level allocate call (not a standard library call), and should be requesting a writeable block. It then should be using an OS level call to mark the block read only and executable.

The JIT should never require write access to a block that is currently executing, and a JIT that does is probably poorly designed and suspect.

Re:What will JITs do with NX ?

[IBitOBear]

Not particularly difficult at all really.

If the system in quesiton (e.g. windows, linux, whatever) had a "recondition" call, that would return an executable pointer/handle/whatever given a data pointer/handle/whtever. And _if_ that call were smart enougt to _never_ convert suspect pointers/handles. Then most buffer-overrun exploits would be impossible.

Consider (vapid psudo-code):

Ptr = SpecialMalloc(size,MMU_CONVERTABLE_LATER);
if (JIT(SourceBuffer,PTR)) {
FcntPtr = DataToCode(Ptr);
if (FcntPtr) (*FcntPtr)();
}

Now is this completely unexploitable? Probably not, but probably _damn_ close if the only thing exploit can do is overrun the return area of the stack.

Now add on the "potential fact" (e.g. make the design decision) that if the DataToCode() function is only available if it is linked in to the program in the first place (or the executable is flagged in a particular way etc), and the door to bogus-stack-return-call-pathing is shut for virtually all programs that didn't start life as JIT compilers anyway.

The ibid for runtime linking is similar but tricker. I'll leave it largely as an exercise.

The "trick" to closing off the stack fidigeting attack would actually be in constraining the calling conventions. For possible instance, if DataToCode() *ONLY* takes arguments from the stack and SpecialMalloc() *ONLY* returns values in registers (or whatever), that is, as long as the communication between the two parts requries something more than a forth-like sequence of crafted library invocations, you raise the bar to a virtually impossible height.

To whit, the buffer overrun would have to be into a buffer that was already know to have been specially allocated, OR there would have to be coincidentally existing code stream at a well-known static location in the executable that would allocate a special buffer, copy the overran buffer into the special buffer, and then convert and execute that buffer. Not impossible but highly unlikely.

Meanwhile, what is the burden to the JIT compiler writer? Two syscall-equivelants and the restriction that you may only use heap buffers allocated in a spesific way. Neither of these costs are prohibitive.

To the dynamic linker question again, the prohibitions would end up being something like only being able to convert read-only mapped regions of otherwise-identifiably-executable files. (e.g. execute-bit set on *NIX, .exe or .dll etc on windows, and so forth). Since you don't want your shared libraries opened for writing anyway, and the ELR/.DLL-esque files are already going to need special handling anyway, these restrinctions are hardly onerous.

See, nothing lost, expenses quite trivial, protections quite significant and remaining exposure very small.

Everything would work rather handily.

Why I should get an A64?

[symbolset]

Because a processor with 64 bits of memory address bits can access more memory than one with only 32?

Re:Why I should get an A64?

[Myen]

Hmm, so in my case, since I don't have that much physical memory, most of that would have to be virtual... And if I'm allocating that much virtual memory, I'll be trashing to death anyway. Heck, I can already trash to death on a 32bit system... If anything at all on my system wants 2 gigs of RAM, I won't be using it effectively.

How does that help me?

Re:Why I should get an A64?

[symbolset]

You are correct, then. If you won't pony up for 6 gigs of registered ECC RAM, and you don't care about the added performance, you're best off with a 32 bit solution. Believe me though -- other people do care. Experience shows that the RAM will be with the reach of most users soon enough to matter, and within the reach of most budget consumers the year after. Since the budget minded purchase with a three year lifespan in mind, your 32 bit choice should do you well for now.

That much performance is silly anyhow for a normal person. If you're modelling geology to determine where to put the next well, maybe you need it. For most people a 2GHz machine with 512MB of RAM and an 80 GB drive is overkill.

For most of America air traffic control is coordinated on a machine almost as powerful as a 386.

Re:Why I should get an A64?

[damyata]

Because a processor with 64 bits of memory address bits can access more memory than one with only 32?

The AMD 64 actually has 48-bit virtual addresses and 40-bit physical ones. Check it here. 64-bit refers to the size of the registers/data paths. Whilst it is unlikely you will often operate on data which needs to be 64-bits (except for double precision FP for accurate maths applications) it does for instance allow for good use of SIMD instructions (4 16-bit values packed into one register and operated on at the same time for instance). Other tricks are possible too. The upshot is it will speed things up but generally only if programs/compilers are written with exploiting the architecture in mind.

Re:Why I should get an A64?

[symbolset]

The Pentium and compatible processor series' likewise don't use all of their address bits efficiently, and for the same reason. When it was designed they didn't believe the need for that much RAM would come up. They were wrong.

While incremental optimizations are exciting to the geek crowd, they don't compare to the potential to have large datasets in RAM. Having large RAM enables you to do things like edit high quality video interactively, build complex relationships on huge datasets and still serve the data in real time, use huge texture maps in your graphics design and many more wonderful things.

At best, SIMD compiler tweaks get you a couple extra FPS. Not the same order of magnitude.

Re:Why I should get an A64?

640 K ought to be enough for anybody, you know...

Re:joe six pack is made to be owned

If your intellect is "supieror" in the same manner as your spelling, I don't think joe six pack has much to worry about the possibility of being owned by you.

"Pointer in memory protection"

[octogen]

There is a much more effective technology around since about 1988. IBM's AS/400 (now called "iSeries 400" or "eServer i5") has a feature called "Pointer in memory protection".

Every time when the processor writes an address into memory (for example, return addresses stored in stack memory by subroutine calls) the memory location is marked as containing a valid address by using a "shadowed" flag, a 65th bit (one bit of ECC memory is used, so the machine does not need special memory modules, just standard ECC memory modules). If that memory location is overwritten with data, the CPU automatically clears the "shadowed" flag. If the CPU tries to use a pointer as a memory address, that was overwritten with data before, it automatically generates an interrupt.

This feature was originally not designed to be a buffer overflow protection, but it was neccessary, because the AS/400 uses a so-called "single level storage", where all applications use the same address space. Therefore, the machine needed some method to prevent applications from writing to arbitrary locations in memory, and that's why pointer-in-memory-protection was invented.

Actually, the memory is also segmented, one segment for every "object" created by a program. Most buffer overflows can not even overwrite an address, because a character array will have its own object boundary.
For example, the following code will typically not generate a buffer overflow on an AS/400:

int main(void)
{
char space_a[20];
char space_b[20];
int i;

for (i = 0; i < 100; i++)
{
space_a[i] = 'A';
}
for (i = 0; i < 100; i++)
{
space_b[i] = 'B';
}
}

Just try it out, it should not even crash.
I tried a lot of things like these on an AS/400 Mod. 170 running V5R2 using IBM ILE C compiler.

I think, pointer protection using shadow flags is the right way to prevent execution of code inserted by exploiting buffer overflows, because all other protection methods can't prevent return-into-libc exploits, but the pointer-in-memory-protection can, so IMHO it is the only *real* protection.

Further reading: "The inside story of the IBM iSeries" by Frank Soltis (a book about the architecture of the iSeries and the POWER processors)

Re:"Pointer in memory protection"

[pe1chl]

Memory tag bits are nothing new; Burroughs 6000/7000 systems had these (3 bits per word even) in the 1960's.
With 3 bits you can also tag a word to contain instructions, and the type of data (integer, float etc).

Re:"Pointer in memory protection"

Every time when the processor writes an address into memory (for example, return addresses stored in stack memory by subroutine calls) the memory location is marked as containing a valid address

That example is one of the very few places this could be applied on x86. Other cases are probably less important, but virtually all other code involving pointers treats them as regular data.

So if this were implemented, I'd look to corrupt pointers used for indirect calls, like DLLs. It can't protect "call [ecx]", as hard as that may be to exploit.

Actually, the memory is also segmented, one segment for every "object" created by a program. Most buffer overflows can not even overwrite an address, because a character array will have its own object boundary.

x86 has instructions that can be used for bounds checking just fine. Anybody who wants the extra overhead will enable it in their compiler.

all other protection methods can't prevent return-into-libc exploits

There are a few ways to do this in combination with NX-stack.

Re:"Pointer in memory protection"

[mparker762]

And the lisp machines had something similar as well. the Symbolics Ivory processor used 40-bit words, 32-bits of address/data, and 8 bits of type info.

One of the neat side-affects of this is that there was only one opcode for, say, "add". It looked at the data types and figured out wether to do a fp or integer add, and could trap on anything else -- the standard trap handler would detect mismatched types and perform the appropriate coercions. Similarly, the array-reference opcode knew (a) whether it was a char array or an int array or something else, and the size, and handle the offset scaling and range checking appropriately.

There was also a magic "forwarding" type value, that said in effect "the thing that used to be here is now over there", where "there" was an address in the data field of that value. The hardware would automatically chase the pointer to the new location to get the real data. This meant that you could safely move objects around in memory without having to patch all of the pointers. There was a low-priority OS thread that walked memory finding pointers to redirected memory and patching them up, and would reclaim the memory occupied by the old object once no pointers to it were left around.

This was used by the paging system to rearrange objects around memory so that objects in the working set were compacted into pages in the working set. This allowed the symbolics machines to have virtual:physical memory ratios > 100:1 with acceptable performance.

All this complicated hardware wasn't the snappiest thing in the world, but it was pretty cool.

Re:"Pointer in memory protection"

[DavidTC]

That means you can't do any pointer math at all.

Re:"Pointer in memory protection"

[octogen]

You can, because the system uses different types of pointers - for example, to address a character array, a combination of space offset pointers and a system object pointer is used; the machine just checks, whether your space offset pointer still points inside the space allocated to your (protected) system object pointer. However, you cannot use a space offset pointer as an argument to a subroutine call instruction.

Re:For now, it creates more problems than it solve

[Deviate_X]

Of course since you had the Linux source code you could have fixed the problem yourself.

Re:Honest Answer

[putaro]

Middle mouse button? What useful feature does that have in Windows.

Gives you a place to rest your middle finger when it is being shaken at the screen.

Re:Is Holland a Country?

[mcleaver]

Sure Holland's a country - although some Dutch would like to see all us foreigners get our tongues round "The Netherlands". In Dutch, Holland technically refers only to two of its provinces, but this ain't Dutch...
However - to the point - I can't see why the ad should be banned. After all, who would be using the latest ADM processors on machines running XP without installing SP2?
It sounds a bit silly to me. But all publicity is good publicity!
Rgds
Martin

AMD64 Adverts Suspect Too

[brokenvoice]

Don't forget that this is the company that uses a very badly retouched Apple G4 Titanium Powerbook in its AMD64 adverts. I was waling down a street in Glasgow last week and saw it in a bus shelter. You could even see where the *artist* had tried to cover the Apple logo on the lid.

Re:AMD64 Adverts Suspect Too

[Dogtanian]

Don't forget that this is the company that uses a very badly retouched Apple G4 Titanium Powerbook in its AMD64 adverts. I was waling down a street in Glasgow last week and saw it in a bus shelter. You could even see where the *artist* had tried to cover the Apple logo on the lid.

'Artist'? You sure it wasn't just an instance of the rare 'geek-ned' putting their socially destructive tendencies to more profitable use?

Re:AMD64 Adverts Suspect Too

[brokenvoice]

A geek-ned? Is that like "Aw whit,maaan. I jist goat wan a theym Apple's man. But ah pure cannae get any games fur it doon the barras"?
The problem with the advert was all about bad photoshopping, so you might well be right.

AMD64 - New and improved!

[yellowsubmarine]

Tastes Great! Less Filling

Now with Flouride protection!

Ah, here it is

This seems to be the post that hit the news:
http://gathering.tweakers.net/forum/list_message/2 2383398#22383398

i just noticed...

[name773]

fud = (etc + 1)

Re:NX bit causes problems?

And coming from someone who can't even preview the post for correctness: Ouch.

I suspect it goes more like this: The only cunts you see are on your monitor and you got raging drunk surfing the porn sites. Then you wandered onto slashdot. Subsequently, you somehow fell off the pole you're sitting on, whacked your head on the floor and chipped your one remaining baby tooth. As befits a lemming such as yourself, you decide in a fit of rage to spout off the marketing hype you've managed to soak up in a post whose importance rivals that of your contribution to an actual productive program.

But as they say, "Perception is reality".

Holland?

[SillyNickName4me]

That is a part of the name of 2 provinces in the country called the Netherlands. (north and south Holland), it is not a country on its own.

Lets all call the USA New York...

Re:Holland?

Oficially it is called "Kingdom of the Netherlands"

Fortunately they did not ban PaX!

Of course NX does not stop virusses and trojans. However, in itself it does only stop some memory corruption attacks, like simple stack overflows. But not many other types of memory corruption attacks.

NX is just one method to protect the integrity of the memory. What it basically does is that it allows an OS to implement separation between data and code in the memory of a running process. Many overflow and other attacks depend on writing data in the process memory and then executing it as if it was code. A virus or a trojan is usually a program. It depends on being run, not on memory corruption. Therefore protection against memory corruption brings you literally nothing.

NX in itself stops exploit writers for aproximately 15 minutes, which is the time it takes for them to adjust most of their overflows to make them work with NX. Only a hand full of attacks cannot be adjusted. So NX in itself doesn't bring you much, despite what the marketing departments of companies like AMD and Red Hat tell you.

The trick to provide good memory protection is not to only use NX, but to combine it with other protection methods. This is the approach taken by the PaX project http://pax.grsecurity.net/.

However, there are also some PaX imitations which, unfortunately, do not implement all of the PaX technology (even though some of them claim they do or claim to be even better). Examples are: MS-Windows SP2, Red-Hat's Exec-shield and OpenBSD's W^X.

Anyways, back from the technical intermezzo to AMD marketing. These guys have the same problem which people from the PaX project, exec-shield, OpenBSD and others who produce stuff like this have: Try to explain why this stuff is useful. If clever people like Linus don't get it, then how is one going to explain it to John Doe or the PHB's of this world? ``Memory corruption? Exploits? Buffer overflows?'' ``Woah! Brain overload!'' At least they have heard the word ``virus'' a few times and have learned that ``virus = bad''. So ``NX = good'', which cannot be explained to lusers, became ``NX = anti-virus = good''. Even if it is disabled by default, if you cannot motivate people to try to look for it, they never will.

Oh yes, these patches break things. Most programmers are spoiled. They think it is normal to mess around with memory in any way they like. Few of them understand that what is convenient for them, is also convenient for exploit writers. It's like MS-DOS programmers complaining about the file permissions on UNIX.

I hope AMD takes the challenge to produce better marketing, so more people start using this technology. Even though it is badly implemented in MS-Windows, it is a small step in the right direction.

Re:Fortunately they did not ban PaX!

[id09542]

I guess the power switch can be marketed as virus protection!!!!

Re:Fortunately they did not ban PaX!

[Lamieur]

What you're forgetting is that PaX stil uses software emulation of this NX-bit. They have paging-based and segmentation-based protection. First make my shell scripts run few times slower, second seems to be a little faster, but limits the address space for programs. Both are slowing down the whole system, one is limiting some programs' functionality.
What newest Opterons and Pentium 4s do is giving you a hardware implementation. Set one bit and you're done, tada.wav. Noone is preventing you from randomizing addres bases, hiding addresses, restricting some privileges or capabilities, or even disabling access rights to /root to non-root users! They give you a great thing - non-executable pages, which you want to use and are using, with no performance cost (which you are accepting, but I'm not). Add few other protection mechanisms to this one and you've patched 95% of all exploitable bugs.
Without hardware support, it would be a question of security vs. performance. Now this question is gone for non-executable pages. Next step would be to include ultra-fast random number generators in processors or even hardware support for processes/threads with different access privileges to memory, low-level IO, etc. etc. NX bit introduction is good for you, appreciate it and wait for more (maybe something like AS/400 features mentioned earlier?) :)

This just in

[SCVirus]

Microsoft has anounced a new patch to stop social engineering... well acually its a minor addition to the windows xp firewall that may prevent a small portion of attacks... but people won't understand that...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

AMD's idea is actually quite usefull....

[lucason]

Quite a few virusses and hacks rely on buffer overflow errors. So eliminating that goes a long way.

In fact I think Dutch courts took it to far, or at least farther than they would have for other pruduct that mislead the public through advertising.

Don't get me wrong, I'm all for truth in advertising, but this is selective justice.

I have yet to see one laundry detergent that fail to get your cum stains out of your mothers favorite sweater to actually get banned for false advertising.

Re:AMD's idea is actually quite usefull....

I feel forced to ask you: Exactly WHY did you cum on your mother's favourite sweater?

Re:AMD's idea is actually quite usefull....

[...]to get your cum stains out of your mothers favorite sweater[...]

You're a sick man...Ok, let me rephrase : do you have any picture of your mother to share with us?

Re:AMD's idea is actually quite usefull....

I'm all for truth in advertising, but this is selective justice.

Not that i necessarily disagree, but you do have examples where a similar practice or situation was ruled otherwise in Dutch court

Do you know how regulation on advertising works in the Netherlands? I'm Dutch btw, and i don't. All i know is that they don't use some dogmatic 'misleading' or 'seducing' definitions. Its much more complex...

Re:AMD's idea is actually quite usefull....

[lucason]

I'm not Dutch. But Belgian. (maar het zou 'aso' zijn om in het nederlands verder te gaan :-))

Just look at the TV. The amount of misleading advertisments is astonishing. As far as legality is concerned, I have no specific info, but I suppose that the true but misleading statement (according to the ruling) that AMD's system "helps in the protection agains virusses" is about the same as a dreft (a dishwashing detergent) promissing to clean your pots without scrubbing and not doing so. Or versatel promissing you free phone calls but putting the fine print so small and fast, no normal person kan read it on a TV screen. As far as I remember, in the states the fine print actually needs to be read out-loud during a commercial. (?or am I mistaken?)

And in radio the fine print is just left out all together. Now if the courts would have said:"clarify the fact that is is not an anti-virus system" then I would have understood.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Holland or the Netherlands? Wanna know ?

16 metres? are you on fucking crack? the lowest point is 6 metres below sealevel.

Re:Holland or the Netherlands?

[Elshar]

YARR! GOLD!

Re:... AMD is banned but ...

No, weed is not legal in the Netherlands. However the Police will do nothing if they find a small quantity that is clearly for personal use.
If large quantaties are found then the plants will be destroyed and the owner arrested and prosecuted.
Coffee shops are allowed to exist only because it keeps the drug use concentrated in a small area and thus controlable.

It Breaks Down Like This

[appleLaserWriter]

VINCENT
Yeah, it's legal, but is ain't a
hundred percent legal. I mean you
can't walk into a restaurant, open
up a laptop, and start settin' NX bits.
You're only supposed to hack in
your home or certain designated places.

JULES
Those are internet cafes?

VINCENT
Yeah, it breaks down like this:
it's legal to buy it, it's legal to
own it and, if you're the
proprietor of an internet cafe, it's
legal to sell it. It's legal to
carry it, which doesn't really
matter 'cause -- get a load of this
-- if the cops stop you, it's
illegal for this to search you.
Searching you is a right that the
cops in Amsterdam don't have.

Re:It Breaks Down Like This

[Lenale]

Searching you is a right that the cops in Amsterdam don't have.

Actually, they do, but not all the time. There is a special law that is used more and more often, which allows policemen to search everyone unprovoked. They only need an 'officer of justice' (DA) to sign a paper first.

Re:Is Holland a Country?

Holland is _only_ those provinces. However "Netherlands" (or the Lowlands what is its more modern choice of worths) is not entirely safe either, since that can include Belgium and Luxembourg too.

Re:Holland or the Netherlands?

[SillyNickName4me]

Noord Holland, Zuid Holland, Utrecht, Gelderland, Overijsel, Drente, Friesland, Groningen, Noord Brabant, Zeeland, Limburg and Flevoland together make up the kingdom of the Netherlands.

There are 12 provinces. Holland as such simply does not exist.

And to you moderators who think this is redundant, maybe it would be if for once the editors would get it right. So far they never do, so the information is not redundant.

HW protection long time ago implemented on SPARC

[vescudero]

This NX bit is a long waited hardware feature in the x86 platform. Sun Solaris developers needed a similar way of avoiding stack overflows due to arbitrary code execution. The solution was partially addressed in the Sun UltraSparc architecture with the introduction of an optional flag that could mark the stack as no executable. Additionally even the unsuccessfull attempts to break this protection could be logged for further investigation.

At first this flag was disabled by default because it was not comply with SPARCv8 ABI so some (mainly bad coded) applications that relied on the execution of code inside the stack could not run as expected. Sun collaborated with its huge community of developers to addresssome collateral effects and once resolved Sun published the new SPARCv9 ABI reference guide in which the stack is no longer mapped as executable.
Currently 64-bit Solaris applications running on SPARC don't need to worry about exploits that rely on malicious code execution due to stack overflows.

Re:Holland or the Netherlands?

[Rakishi]

The German language thing seems to be somewhat common actually. In Polish it's niemecki for example.

Gory Details & a BIG question... (win32)

[burnttoy]

This is all PERFECTLY true. You should never make that assumption! Especially in a kernel asthey tend to be locked down harder than user mode, usually due to single address space rather than per "process" protection schemes.

In Win32 use VirtualAlloc and specify PAGE_EXECUTE_READWRITE in the flags. You have no problems at all. VirtualLock provides the address and then you can call it like a C function via a function pointer variable e.g....

typedef int (*FUNC)(void);
LPVOID lpvdat;
lpvdat = VirtualAlloc(NULL, 65536, MEM_COMMIT, PAGE_EXECUTE_READWRITE); // VirtualLock... write code/data to lvdat....
FUNC f = (FUNC)(lpvdat);
int res = f();

Now "poke" whatever code you want into lpvdat and EXECUTE.

NOW! can someone tell me how to do something similar in the Win2K/XP kernel???

Re:Gory Details & a BIG question... (win32)

typedef int (*FUNC)(void);
LPVOID lpvdat;
lpvdat = VirtualAlloc(NULL, 65536, MEM_COMMIT, PAGE_EXECUTE_READWRITE); // VirtualLock... write code/data to lvdat....
FUNC f = (FUNC)(lpvdat);
int res = f();

Now "poke" whatever code you want into lpvdat and EXECUTE.

NOW! can someone tell me how to do something similar in the Win2K/XP kernel???

Depends on whose memory space you want to run it in. If you want to allocate your code in the context of a particular process' memory (imagine you have a process handle and you want to allocate memory inside of that process and create a callback stub in there...) then you can call ZwAllocateVirtualMemory() with the conventional Windows memory protection parameters. Then you can write a stub to your code into the user app. or something. You won't be able to work with kernel-mode data structures, though.

On the other hand, you could use ExAllocatePool() to get some kernel-mode memory and then possibly put your callback there. Since it's kernel-mode pool memory there's probably no memory protection on it.

Still, this is all very, very dangerous. I can't think of a faster way to blue-screen a Windows NT/2K/XP system than writing self-modifying code into a Windows kernel-mode driver.

Re:Gory Details & a BIG question... (win32)

Seems like this would be faster...:

char *p = NULL; (*p)++;

Re:Gory Details & a BIG question... (win32)

The ++ is not needed.

Who cares?

[johannesg]

Let me assure you that just about _noone_ outside the Netherlands cares about this, and the vast majority inside doesn't care either. Only a few highly frustrated provincials seem to be bothered by the fact that Holland and the Netherlands are technically not the same, the rest of us use the words interchangeably when speaking English.

Of course, the whole mess doesn't exist in the Dutch language anyway. We live in Nederland, we speak Nederlands, and we call ourselves Nederlanders - all perfectly regular. If I called myself a "Hollander" in Dutch, I would be indicating I was from either South Holland or North Holland. If I do the same in English people understand I'm from the Netherlands.

Oh, and if the audience is American, they know I'm from the capital of a country known as Kopenhagen ;-) Sorry about that, but you must understand that American tourists who are not only lost, but in fact at least two entire countries removed from where they think they are, are the stuff of legend in Europe ;-)

Stack smashing for fun and profit.......

[hughk]

Overwriting a return address with a new one is difficult because you need to find the correct place to call. It is much easier to insert your own code with the modified stack frame. Therefore NX (present on many other architectures) is actually a fairly major step.

Re:Stack smashing for fun and profit.......

[DavidTC]

Linux has a feature, although it might still require a patch, where you can load libraries at random addresses, and thus you can't just check what libc that distribution was using and call a function in it. Like the obvious 'system("echo blah>temp")' 'system("sh temp")'. Buffer overflows have to use pointers, they can't use function names, and thus if you move the libraries around in memory before linking them (at runtime) into the application, pointers will not work.

Of course, if it's a precompiled binary, that helps only a little, because, you could always call a function within that program.

For example, say there's an FTP program with a buffer overflow at the login. With relocatable libraries, you can't call system() because you have no idea where libc is at, but say it has a 'postlogin()' function that sets up the variables and whatnot after you logged in. If it's a precompiled binary, you can just call that function via the buffer overflow, and, boom, you're logged in.

Re:Stack smashing for fun and profit.......

[hughk]

The thing is that system calls can't move around usually. You don't really need libc if you can get to the kernel entry points. Remember it is the kernel that actually does the real work, i.e., libc only wraps system(), the real work is inside the kernel.

Re:HW protection long time ago implemented on SPAR

[id09542]

I have to chuckle, we have had this "feature" on the IBM mainframes for over 30 years. I enjoy watching you youngters re-invent the wheel.

Re:Holland or the Netherlands?

[xouumalperxe]

could be from the fact that the portuguese were the first europeans to get to japan, and we call holland "holanda". Just a mild variation there.

Re:For now, it creates more problems than it solve

[TheGratefulNet]

I used to joke about java being a 'write-once, debug many' language.

seems I was really being accurate even without knowing why.

Re:Honest Answer

Middle mouse button? What useful feature does that have in Windows.

Hrm... AutoCad, Maya3D, StudioMax, and anything else that is a 3d'ish design program really require a 3rd mouse button with a good deal of the features.

Dragging with holding the left, right, middle mouse buttons all do different things as far as expanding, extracting, etc etc as well as different context menus. I could acheive many things without the 3rd mouse button but it would require me to grow a 3rd hand for the keyboard to keep at the same workflow speed.

Although I bet you didn't know that you already have a middle mouse button on your scroll wheel... So any MS scroll wheel mouse works fine for these programs.

That and 3rd mouse (and 4th, 5th...) buttons are really helpful with FPS games.

And the cute thing is the advert - it has a G4

[dirkx]

You do want to look at the NX advert at the top of this page - an titanium powerbook G4 is used in the adverts. No AMD inside :-)

In the print versions sold locally (e..g in the HCC magazine) it is even more obvious as you see the whole machine.

Dw.

Re:Dutch people

Actually, KLM has ceased to be a company, let alone a dutch one. It's now a part of Air France.

Does it cause more problems then it solves?

[Phil246]

in my opinion, yes. It encourages sloppy programming practise. Why bother checking for buffer overruns and fixing them when the processor can be forced to just not do anything if they occur.

Re:Does it cause more problems then it solves?

[dbacher]

The end user shouldn't be responsible for a programmer's error, for correcting the programer's error, or for identifying and catching the programmer's error.

The issue is that even if you have the source code, you are unlikely to review it for the vast majority of the programs you have installed. The issue is that it is trivial to make an error that would go undetected in your code, and that error can then be used to attack your system.

The application will still terminate with NX bit, if there's a buffer overrun. The trick with the NX bit is that it prevents code insertion attacks using the buffer overflow. The app will crash (SIGSEGV), but the bad guy won't get in.

There are dozens of projects that have reported fixing buffer overrun errors in the last two to three months. /. focusses on Microsoft's errors, but Samba, GNome, KDE, Mozilla have also had buffer overruns lately. The Samba vulnerability even allowed access to root privledges, which would be a pretty bad vulnerability indeed.

NX bit would prevent most of these buffer overruns from compromising the system. The first goal has to be keeping the system secure, and since you cannot control the code going in in a meaningful way (by this, I mean there is nobody who has the time to agressively review every single line of source code in every single package that they install), you must focus on limiting the damage that can be inflicted.

Re:Does it cause more problems then it solves?

[Phil246]

i agree the end user shouldnt have to take the fall, but theres no excuse for allowing buffer overruns in the first place.
Treat all data as 'bad' until proven otherwise, make sure every time you use a buffer that the data will fit in it. its not too hard to do.

Re:Does it cause more problems then it solves?

[superchkn]

Microsoft can't even make the deadlines without verifying these things. How can you expect them to even ship if you put constraints like that upon them?

Seriously though, buffer overflows can happen regardless of the company or source. Obviously some take this more seriously than others (i.e. the BSDs). So since only so much can be done, we use technology to minimize the impact when it does occur. It's kind of like how society can see that some people won't follow the rules so we invent police and jails instead of trying vainly to just fix the people in the first place. Some "parents" are better than others.

DISCLAIMER: Please don't read too much into that parenting reference, it is only as an example, not an absolute cause of misbehavior (in people at least).

The actual reason

[Fuzzums]

is that the campain was misleading. AMD stated their campain in such a way that it sounded like you don't need any virus protection any more.
Which we all know, isn't true.

By the way: Holland ins't the same as The Netherlands. Holland is just a small part in the west of The Netherlands. To make it more confusing: Zeeland and Friesland are also part of The Netherlands

Re:The actual reason

..and England isn't the same as the Great Britain and USA isn't the same as America. What's the point?

Must've "float"ed away...

[Mr+Z]

It must use an IEEE-754 hidden-one representation...

bad marketing

NX has very little todo with viruses. It only protects against executation of code in the stack area of programs. This stomps out those pesky buffer overflow and format string attacks. But there are still a good number of attacks left.

I would have advertised it

[Corellon+Larethian]

NX

The first bit of Palladium.

Solve more problems than it causes?

[upsidedown_duck]

I've been using the equivalent of NX on Solaris/SPARC for a couple years, now. Everything works as expected. Self-modifying code is dumb, anyway.

Re:Holland or the Netherlands?

[dosius]

Quite possible. Is H silent in Portuguese as it is in Spanish? If so, that would certainly be where it came from.

Moll.

Re:Holland or the Netherlands?

Hee hee, you said "Noord!"

Re:Honest Answer

Hrm... AutoCad, Maya3D, StudioMax, and anything else that is a 3d'ish design program really require a 3rd mouse button with a good deal of the features.

Those are really program features and not features specific to windows.

Dragging with holding the left, right, middle mouse buttons all do different things as far as expanding, extracting, etc etc as well as different context menus.

Well, here I am in windows, I can't seem to do anything with that "copied" 3rd mouse button in the apps included with the OS. It won't copy a file, it won't bring up a context menu, it won't paste anything, it won't even select or focus anything most of the time. I've only tried IE, notepad, and Explorer, but those are some pretty major Microsoft Windows OS applications. Now in X, the middle mouse button pastes virtually regardless of the application I'm using. Perhaps you meant to say that someone copied Autocad (incidently, didn't that run in DOS before Windows 3.0?) or some other app, maybe. Though I'm pretty sure the 3 button mouse wasn't created explicitly because of Autocad (though probably because of many similiar in-house applications).

Although I bet you didn't know that you already have a middle mouse button on your scroll wheel... So any MS scroll wheel mouse works fine for these programs.

Surely you know what assuming does? Alas, my Linux box is equipped with one of those "new-fangled" scroll mice (Logitech MX700), in fact I was using it to describe the function of the third button in X. I did have a 3 button mouse, but that was back when I had Windows where it's only function outside some specialized, non-Microsoft apps (e.g. Autocad) was as a finger rest.

That and 3rd mouse (and 4th, 5th...) buttons are really helpful with FPS games.

I guess I should have just summed it up as, "I was referring to Microsoft [specifically Windows], not your X-name app manufactured by someone other than Microsoft." Hopefully though, you didn't need to read this far to figure that out.

No, it doesn't.

Apps simply have to be coded correctly. Sun's JVM works just fine, and anyone else's should too. If you find something that doesn't work, you should tell the morons that wrote it to fix it.

Re:Holland or the Netherlands?

[mattiwatti]

Wait... so you mean I've been living in a windmill for all these years just because I thought everybody else here did it?

Re:... AMD is banned but ...

It's safe just like alcohol and tobacco.

There may be components in marijuana that can be medically useful, but using the plant itself (a mixture of a variety of beneficial and harmful components) isn't going to net one any benefits. It's somewhat akin to putting crude in your gasoline car versus using gasoline which is just one component refined from oil.

What a great argument! Just say the opposite of what the first poster said and we should believe you because??? I forgot, this is slashdot where proof or a reasonable argument composed of factual points isn't allowed. No study on MJ has ever come to the conclusion that you brilliantly reached and claim that we should all just accept. Are you sure you don't work for DARE?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Holland or the Netherlands?

[dajak]

could be from the fact that the portuguese were the first europeans to get to japan, and we call holland "holanda". Just a mild variation there.

Not just that. The Dutch traders who established a trading post in Japan were from the state of Holland. No trading companies from Zeeland or Friesland or other states in the Federated Netherlands ever went there. Zeeland mostly traded with the Americas, and Friesland with northern Europe.

Cities like Amsterdam and states like Holland could have independent diplomatic relations with foreign powers like Japan, and they could also make war independently - even on eachother. The new bureaucracy of the federation was tiny compared to the ancient state bureaucracy of Holland. Only in the 18th century people started identifying with the (plural) 'Netherlands' as a whole.

Of course even in the 16th and 17th century you would have seriously pissed of someone from Zeeland or Friesland by telling him he is from the Holland. It is like calling a Scotsman English.

Re:Holland or the Netherlands?

[dajak]

Heck, most languages call other countries (and/or their native languages) by names that frequently have little relation to their native name. People in Byelorus even complain that germans call their country "white russia" instead of "byelorus", even though they call the German language "nyemetski" instead of "deutsch". So long as the information is passed, people need to quit pitching a fit about it. It's just the way language has developed.

True. In many cases a state has merely kept an old name that once applied to it. The sensitivities With Belgium/Netherlands/Holland, Dutch/Flemish/Netherlandic are a bit more complicated because there is some competition for names involved. Every country in this area of Europe carries a strange name, often invented by others.

Long ago in the time of the Frankish empire all continental germans spoke variants of the 'lingua theodisca', or Teutonic/Dutch/Diets/Duutsc/Deutch. Subvarieties of this language are for instance Franconian/low Franconian/low Saxon.

German traders visiting the English coast were called 'Dutch', and most of these traders obviously came from the north sea coast (speaking low Franconian or Saxon). This is were the principalities of Holland and Flanders were.

The North sea coast region as a whole was called 'the Netherlands', or 'Belgica' in Latin. In the 16th century the 17 Netherlands split in two states: The Royal Netherlands (Belgica Regia, including most of Flanders and Brabant) and the Federated Republic of the Netherlands (Belgica Foederata, including Holland).

Most traders from the Federated Republic that visited England were from Holland, the most powerful member state, and would have identified themselves as such. The name 'Holland' for the Republic stuck in English. Only people from Holland like it.

In Belgica Regia the civilized languages remained French and Latin, and it became 'Belgium'. Belgica Foederata became the 'Netherlands', evolving a standardized language 'Netherlandic' based on low Franconian. The names Belgium and the Netherlands thus originally refer to the same area.

The states east of the Netherlands formed the Norddeutschen Bund (the North German League), and later became 'Deutschland' (Germany). This country also standardized its language (Hochdeutsch, or High German). The nation was formed under the leadership of Prussia, which is itself not a part of the area called Dutch/Deutsch by the Franks.

From this point on the Dutch did not like being called Dutch anymore, because the Germans appropriated that word (with the implied threat of being inclusive of other 'german' nations). So 'Netherlandic' is better than 'Dutch' since the 19th century. 'Dutch' simply means 'German' to us (and some may return the favor by calling all Englishspeaking people 'Anglosaxons').

However most Dutchspeaking Belgians like 'Netherlandic' less, because it reminds them of their quarrelsome neighbor, the Netherlands. They would marginally prefer to speak 'Dutch', or even better: 'Flemish'.

The (unrecognized) language 'Flemish' does exist, and is spoken by tiny rural minorities along the coast in France, Belgium, and the Netherlands. The vast majority of Dutchspeaking Belgians very clearly speak (less standardized Brabantic dialects of) Dutch, however. Even if they want to call it Flemish.

Some small leftovers: the Frenchspeaking Belgians call themselves Walloons, and that derives from the Germanic/Dutch word Walah/Waal, meaning 'foreigner'. Just like the Welsh in England. The French themselves, and their language, have hardly any relationship with the Franks and the Francionian language other than the fact that Frank warlords ruled them for centuries.

Re:NX bit causes problems?

Sorry, but I wont get offended when a pole smoker tries to flame me for spewing AMD commercialism when AMD hardly invented the concept. Considering that the Alpha had it and now that Intel has decided retro fit it to thier designs with it, this statefull memory allocation concept is something you incompetent dipshits better get used to.

Again, learn to write quality code or fuck off and die.

And for you, flametroll, you might want to pull that cock lollipop out of your mouth from time to time. Pity your post had no point other than to pounce on typographical errors and project your life story upon me.

Call me when you can actually write a few lines in something other than VB.

What this stuff really does

[bluefoxlucid]

In order to determine what NX does, we must look back at what people have created fake NX bits for in the past. This has been used on x86 for security purposes for a while.

Let's go back a few years, to late 2000, when PaX was created. PaX (Article) emulated an NX bit on x86 with a low-to-high and potentially extreme level of overhead depending on memory usage. Later on, a new method was devised to do this emulation with a low level of overhead, but restricted the VM space to 1.5GiB (which didn't really matter anyway).

PaX later introduced ASLR as well, to randomly arrange the address space. This can be easily defeated by reading the global offset table, or GOT; however, the GOT offset is stored in a register, and the GOT itself is stored in a randomly placed segment of memory. Finding existing useful data and program code for ret2libc attacks requires reading the GOT; reading the GOT requires finding the GOT; and finding the GOT requires injecting code.

PaX used its newly emulated NX bit to prevent the root problem from occuring. It made a definite and permenant separation between executable memory and data areas. Any memory created as executable had to be initially loaded with the code, either by mmap() or by the kernel reading in an executable .text segment. These segments couldn't become writable unless they dropped executability. Other segments could freely change read and write permissions; but they could never add the executable protection, even if they were non-writable.

Under these restrictions, code could still easily be injected into a running program, as long as it wasn't being injected into executable memory--which was never allowed to be writable for any period. Once the process changed the PC to that code, however, the CPU would trigger a segmentation fault, which PaX would handle by killing the program and complaining in the kernel log about an illegal execution attempt. In this way, only code existing in executable segments at link time (load-time or dlopen()/dlsym() linking) could be executed. This also meant that existing code could not be executed out of order without extreme luck and a blind guess as to where that code would be, since the randomization could not be examined by an attacker.

Later, in 2003, two new technologies appeared. One was OpenBSD's W^X, and another was RedHat's Exec Shield. Both used a new, fast method of approximately emulating an NX bit; however, this method was flawed; mprotect()ing a higher memory address breaks the emulation so that you get a full executable layout below that point. Unlike PaX, these also did not and do not constrict mprotect() to safe combinations. Interestingly, PaX' original logic for emulation was augmented with this new method later, but with a fallback to the original logic if the flaw was activated. The new SEGMEXEC logic was still kept, and is still recommended by many who use PaX.

There were compatibility issues with all of these. ES relied on a binary marking that would mprotect() the stack or heap on load automatically, to be executable. The ASLR in ES still had to be disabled system-wide, to my understanding, if there were compatibility issues. This was not a robust solution.

If PaX breaks something, some PaX flags can be set on the affected binary executable to A) De-restrict mprotect(); B) make all of VM executable; C) disable ASLR. This only affects the particular program itself. Trampolines can be detected and allowed if desired as well (per-binary); and RELROs can be specially set to be mprotect()able freely (system-wide).

All of these methods have some level of overhead; and some of them are inaccurate and will relax restrictions excessively under certain circumstances. These problems stem mainly from the methods of emulation used. With a hardware NX bit, however, the NX logic is handled natively by the CPU. The inaccuracies of the W^X and ES emulation method, and the

Re:... AMD is banned but ...

What a great argument! Just say the opposite of what the first poster said and we should believe you because??? I forgot, this is slashdot where proof or a reasonable argument composed of factual points isn't allowed. No study on MJ has ever come to the conclusion that you brilliantly reached and claim that we should all just accept.

I'm sorry, somehow you must have missed the links or not read them. Let's just go with the DOJ one. It says (and references) studies linking the smoking of MJ with higher lung cancer rates (as did the CNN link). The DOJ also mentions things like "400 chemicals" in MJ. Also it mentions the beneficial uses of THC as well as an ongoing study of MJ compounds being studied for their beneficial uses. So, those of us with some brain cells can conclude:
A) Some of those 400 chemicals must be good if they are studying them for beneficial uses
B) Some of those 400 chemicals must be bad (linked to cancer - the CNN link even)

I didn't think it neccesary to summarize the points of the articles, after all it is OT anyhow. Clearly I forgot about those that cannot follow and then read a link. I sincerely apologize but I'm at a loss on how to proceed seeing as you cannot chain together these few links and follow the logic without a long step-by-step explanation. My statement was merely a summary of the articles, though it is true that the comparison to crude oil was completely fabricated by myself. I did not reference that from any of the links.

So, I'm puzzled by your hostility. Perhaps that's just the addiction talking?

Are you sure you don't work for DARE?

I think I would remember; even the acronym escapes me at this particular moment. Are they extremists? Perhaps much like you except on the other side of the fence?

Re:NX bit causes problems?

And for you, flametroll, you might want to pull that cock lollipop out of your mouth from time to time. Pity your post had no point other than to pounce on typographical errors and project your life story upon me.

I'm sorry, that's all I got from your post. That and some things that had already been mentioned, in a friendlier tone, no less. It sounded like a flame to me as there was much insulting.

I must admit being genuinely surprised to have struck such a chord with one who looks so far down upon the IT community, let alone slashdot's.

Not that I really disagree with those points between the insults, I actually agree. It is simply your approach that has left me responding in like.

Re:Holland or the Netherlands?

[Dun+Malg]

The German language thing seems to be somewhat common actually. In Polish it's niemecki for example.

Yeah, the word is similar in all slavic languages. It essentially means "tongue-less", a mildly dismissive term applied to Germans in Russia who didn't speak Russian.

Re:Is Holland a Country?

[starrsoft]

The parent said what he did in a flamebait way, but he does make two good points:

1. "Holland" is not a country; "The Netherlands" is a country.

2. This is not likely to have a large impact on what AMD is trying to accomplish because the Netherlands is not a large or populous country.

MOD PARENT UP

[starrsoft]

erm, Why is this modded troll? It should be insightful!

MOD PARENT DOWN

MOD PARENT DOWN

Re:Holland or the Netherlands? Wanna know ?

[fm6]

Wrong. Holland is a large province in The Netherlands that sort of dominates Dutch politics and history. (Administratively, it's two provinces nowadays.) Some people use "Holland" and "The Netherlands" interchangably, just as some people say "England" when they mean "Great Britain". But just as Scots and Welshpeople resent being called "English", I suspect that a lot of Frieslanders and Brabantians resent being called Hollanders.

Re:Holland or the Netherlands? Wanna know ?

[cablepokerface]

I'm afraid not friend.

The name Holland in this and the other entries on this page ultimately stem from holt land ("wooded land").
Upgrade your knowledge

Check the North and South holland thing to. However, in South-Holland (the province) lies Amsterdam, so it does somewhat dominate the Netherlands politicaly as you pointed out. I am Dutch btw.

Re:Holland or the Netherlands? Wanna know ?

[fm6]

I'm sorry, what are you trying to say? You tell me I'm wrong, then you point me at a Wikipedia article that says the same thing I said. And what does the etymology of "Holland" have to do with anything?

Re:Holland or the Netherlands? Wanna know ?

[cablepokerface]

I interpreted your comment as that you were trying to say that holland is just the name of the provinces. It isn't, that's why I pointed out that Holland is merely an older word for the country now know as the netherlands. Ow well, doesn't matter.

I live here by the way; in 'Roosendaal' in the south exactly between a city called 'Breda' and one called 'Bergen op Zoom'. It's a shame those maps don't include us btw because were bigger then 'Bergen op Zoom'.

Re:Holland or the Netherlands?

[cammoblammo]

That's interesting.

Aborigines in the north of Australia had a word for white people before (as far as history can tell) whites ever came to our sunny shores.

It turns out that the northern Aborigines did a fair bit of trade with Indonesians who would sail south to fish for trepang. The Indonesians knew the Dutch (or whatever we call them---this thread's confusing me) and called them 'Ballander,' derived from 'Hollander.'

Along with a lot of other Indonesian words, it somehow found its way into the Aboriginal languages up north, and spread around a bit---having never seen white people the Aborigines incorporated into some of the myths, which had white ghost type people in them.

As far as I know, the word 'Ballander' is still used to refer to white people in a lot of Aboriginal communities today, especially in the north.